Posted on 12/12/2004 7:56:01 AM PST by MississippiMasterpiece
Before she begins work each morning, Kate Prior must enter eight computer passwords. Each must contain at least eight characters, and most require letters and numbers. Every three months, she must change them all.
How does the 28-year-old monitor of drug trials remember her passwords? Easy: They're written on a blue Post-It note affixed to her computer.
Ms. Prior knows that her display threatens to undermine the very security that passwords are supposed to promote. "The IT people yell at me," she says, referring to her company's information-technology staff. But she prefers the occasional scolding to the alternative: forgetting a password, guessing incorrectly three times, and then having to call for help.
Security experts have long recommended that computer users choose hard-to-break passwords and change them frequently in order to frustrate hackers. Now, those recommendations are being newly forced on millions of U.S. workers in the name of preventing financial fraud under the Sarbanes-Oxley corporate-reform act.
The law, enacted in 2002 in the wake of accounting scandals at Enron Corp. and elsewhere, created an oversight body for audit firms, stiffened penalties for fraud, and required auditors to certify that firms have adopted adequate "internal controls" to prevent fraud.
No matter that Sarbanes-Oxley doesn't actually require changing passwords: In the name of those "internal controls," auditors and consultants are prodding companies to require that employees pick tougher passwords, and change them more frequently.
But the zeal for impenetrable computer systems rubs up against the limits of human systems. To cope with repeated changes to multiple passwords, many users adopt strategies that actually thwart security.
Roughly three-fourths of computer users memorize their passwords, according to a study done for the computer-security concern Symantec Corp.
(Excerpt) Read more at online.wsj.com ...
It's been years since I forgot a password.
One simple solution would be to use the same password and top it off with the month and year; MyPassWord1204
>>>>Roughly three-fourths of computer users memorize their passwords, according to a study done for the computer-security concern Symantec Corp.
Where are these users? I assure you, none have ever been my customers :(
To cope with repeated changes to multiple passwords, many users adopt strategies that actually thwart security.
I've hidden it so well not even I can find it. ;-)
Actually, the best solution I have found is using RSA's SecurID. Therefore, even if someone get's their pin, they would have to have the fob as well. Check it out on RSA's site. Works on all of our *nix stuff, and they finally have very good integration with windowsxp/2003 for easy login/management. All our workers have 1 "pin" and then fob, works great!
I have a pretty good formula for creating seemingly random passwords:
Pick a phrase you know well, and use the first character of every word in that phrase in sequence. If you're on a system that recognizes case-sensitivity, then you can alternate the case.
I usually follow that with some combination of year/date denoted by periods.
Its a lot easier than my description sounds.
For example, the Gettysburg address;
Four score and seven years ago our fathers...
becomes
fsasyaof.2004.
or better
FsAsYaOf.2004 (its easy to type with a little practice)
You can use bible verses, famous phrases, etc.
Works for me.
Ha, at my former job, the password program would not let any sequence from the last 14 passwords be used in a new password even if parts of it were changed. Before they implemented this I liked to just flip flop back and forth between passwords I remembered.
But here is an idea that might work, use names of people you know enough to remember, might be last names in the computer, first names in the notebook. (Can't have a roladex on you desk for this one.) After the name continue with the area code and zip of the person. Next time, select a new person and look up area code and zip. Thus "George" might be a clue to the password: Bush20220500
In our place this is a security breach. We have passwords generated by random password generators. Try remembmering "V#3iQ4g\?"
Say like this: 1qazxsw2
If you type that out, you'll see the pattern.
When you have to change your password, just start with 2: 2wsxcde3
Thank you.
Your info is gold.
Another great idea!
Thanks.
How does the 28-year-old monitor of drug trials remember her passwords? Easy: They're written on a blue Post-It note affixed to her computer.
I used to be the IT security enforcer where I worked. I would come in early in the morning before everyone else and rip the sticky notes off the monitors.
I gave computer security classes for users. My opening sentence was always, "The most top secret system is only as secure as the dumbest user."
If some serious hacker wants to gain access to any corporate computer system, just get a temp job with the night janitorial service.
>>>>I gave computer security classes for users. My opening sentence was always, "The most top secret system is only as secure as the dumbest user."
I love that line!!!! I'm far from a 'tech guru'; but I do think of myself in at least the 'super user' class. There are so many people out there who are far from technical... and they think computers are magic boxes.. I call it the magic box syndrome... hahahaha They think you turn on a computer and it will do magic things... Then when they mess up their system they pay some tech guy $80/hr to fix something that they could have easily fixed themselves if they had read the help files.
Then so many are what I call smooshed... they don't read at all... unless of course it's a cartoon... But in the long run these types are good for me.. hehehe.. because that's how I make money... (smile) So in a sense, it's a good thing... hehehehe
One of my clients has repeatedly emailed me with questions and the answers to those questions are right there in front of her eyes within her 'drop in storefront site' I built for her... I finally got tired of her asking me questions so I told her from now on... $5.00 per question... she learned real quick to print out the instructions, read and find the answers :)
Why must she afix the post-it to the monitor? Why can't she store the note to herself and have a regular hiding place (even in her purse) for easy reference?
I am kind of surprised that we don't use fingerprints. We have touch screen technology in common use. We could just put our thumb on the screen in the box and have it scanned.
John
Many companies are requiring a strong password. Minimum of 10 characters, including at least one upper case letter, one lower case letter, one number and one special character. Some don't allow any two of the same character. So you end up with something like A^2=sqr(B^2+C^2). Even if you remember it, it's easy to mistype it a couple of times in a row. Particularly before your third cup of coffee.
You win the prize. Biometric security is coming along. Yes, it is the obvious answer. Not perfect, but given the weakness of password security - it's not hard to improve.
btttttttttt
My question is... how many corporations *really* require this level of security? It's as if they're saying every physical security measure can be defeated in 45 days, so let's change the locks to the building every 30 days. It's crazy.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.