Firms urged to tighten up access policies Half of us keep our passwords on Post-It notes and over a third of IT professionals say they could still access their company's network if they left their job. These are just some of the worrying findings of a survey released on Tuesday by Cyber-Ark Software, which carried out the research at last month's Infosecurity …
Late last year I opened a Canadian discount brokerage account. The rep typed in his 6 digit code while I watched. I commented that passwords should be at least 8 digits long. I thought he'd take the hint that I'd watched him type in his password. He replied 6 digits was the minimum allowable and he had to change it every three months so it was a bit of a chore to use more than 6 digits. Tellers at a credit union I use routinely type in their passwords open to my view. I guess it's a good thing the majority of Canadians earn a decent living and aren't tech savy.
People put their passwords on post-it notes because they have too many passwords to remember them all, or because their passwords aren't sufficiently memorable.
I don't know what the answer is, but it's *not* yet more passwords and it certainly isn't yet more complex passwords, and forbidding post-its only deals with the symptoms not the problem.
The only real answer is no passwords at all. But that requires some sort of "hardware" to act as a key, and that hardware can be stolen or copied.
On the other hand, nobody suggests that doors shouldn't have keys just because keys can be copied or stolen.
"...over 33 per cent of IT staff said they use administrative passwords to snoop around corporate systems. This snooping has the potential to turn ugly if IT workers feel disgruntled..."
Doesn't surprise me at all - I've been reading BOFH for years.
The average luser may not have any grasp on password security and usage but it is rather depressing that many sysadmins appear to know no better. Still, looking on the bright side, lusers' predictability and laxness makes it much easier to get into their email accounts and find out what they _really_ think about the IT Dept.
One place I used to work, the sysadmin's sidekick (a sort of proto-PFY but without the youthfulness, the charm and the good nature) used to come in half-an-hour early and have a rummage around colleagues' machines. So I set a boot password in the BIOS on mine. Knowing he'd simply open the box and jumper the BIOS back to default, I left a note - big letters in felt tip on A4 paper - inside the case saying "F**k off Dave, you arsehole, we all know what you're doing". OK, not the BOFH's level of revenge but what can ya do?
Because we continually force them to change them every 30, 60 or 90 days.
So coming up with a new set of passwords, that aren't dictionary words, are sufficiently long and contain different types of characters to be sufficiently complex - then forcing them to continually change them - is a crazy way to do security.
The best solution, which is of course expensive beyond belief, was the one that investment bankers use. The server itself continually changes each account's password every 15-20 minutes or so - then sends that password (encrypted of course) to a device much like a pager.
The pager-like device decrypts the password and the user enters it in.
Obviously there are flaws, obviously if you lose your pager thing then you're stuffed. Obviously you have to be trained not to leave it lying around on your desk - but it is the best solution I've seen.
The biometric thing doesn't work, in fact most of them are just glorified mini-scanners that can be fooled by a photo copy of a finger print. Not only that, but just about every one of them has a password override - in case someone breaks the fingerprint scanner or has all their fingers chopped off. Most actually state on the box they're not intended for high-security use.
The type that would work is considerably more expensive than the pager thing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
