*Rant On* Silly IT Security Protocol

[REMillers]

*Drags soap box into the forum*
*Dusts it off, and steps up*

(pissed)

Ok how many here have to deal with the non-stop IT security protocol such as passwords and logins? How many here have to change their passwords every 2 weeks? On top of that the passwords cannot have any 2letter/digit combination that is the same as the previous 30? In addition it must contain caps and numbers PLUS a special character?
All right now that is just one routine for access the computers themselves. Keep in mind they store no secretive data, just standard office desktop applications.
Now we also have three other programs of which they follow the same login routine. That makes a total of 4 systems each with their own password routine.

Sure some maybe saying that it is helping to keep the systems secure. No it is not, and here is why I don't believe so.

In any environment you must take into account the fact that people are absent minded. As such you have to deal according. Though on the surface having such a security routine may sound safe, it actually leads breeches. As you force people to come up with new and drastically different passwords, they start getting out of their set routine. Pretty much people have a set pattern that they construct passwords from, or a list to use. By forcing them out of the pattern or in a sense going beyond the number of passwords they can remember; loopholes develop. In this instance users will start to write their passwords down, and store them around their desk.

Now in addition the user names have a new naming system; our employee ID.
*Looks up internal company guidelines*
Oh looky it says not to ever use your employee number for passwords or to share it with anyone.
Hmpf guess IT doesn't have to follow those rules in forcing us to do it. Now anyone can walk around and see what your employee number is. This confounds a pre-existing problem that deals with new systems. Any new systems that come up for users all have the same passwords. The security measure before was that each user had a user name that wasn't use for anything else. But now all user names are constructed around your employee ID. This ID is also used to fill out certain forms etc. This is the same problem that exist with your Social Security ID, a number which isn't suppose to be shared yet appears on every form you fill out. In fact the state of Virginia has caught on to that reality and is now issuing all drivers license with random license numbers instead of your Social.



Just irks me to no end what these IT people come up with here, to *try* and manage security systems.
Oh and am I an expert, No. All I have is an Associates in Network and Security before changing to Computer Science. So I don't try to be all mighty on this issue, but do look at it from a reality point of view. Realities that the more complex a system gets the more loopholes develop.
Hmm wait that phrase sounds familiar.....OHHH I know my professor for my entry level security class said it. Guess these IT admins missed that class.

Thank you for hearing my Rant.
Anyone else have similar IT silliness at his or her work place???

*Steps down from soap box*

 

[katsmp3]

damn the man.

i make the password rules here. different password for Windows and Email (no way arround it). Email is set by the school. I require that windows be 7 characters and must contain some variation whether it be number or what have you.
These people would flip out if I required special character.. We'd have to have a meeting to learn what special characters are.

All my passwords use alt characters so they CAN NOT be cracked.. tried everything to do it Lopht, etc..

 

[SeminoleMan]

To eliminate some of those issues, we provide IP access to some material. You have to have a security card permitting access to certain areas of the building, so those not authorized to view certain information aren't able to get access to it anyway.

It amazes me how absent-minded and careless people are about U/P's. I do web-helpdesk work and can see similar patterns in the average users thinking...like picking their common first name or last name for their U/P. GIMME A BREAK!!

2legit2quit

 

[mazdadan]

Here at my work we require unique password changes every 90 days. We don't require any special characters, but they must be 7 characters in length. Since I am a Network Administrator, I can exempt myself from this policy I still like to change my password every once in a while though.

 

[REMillers]

Brilliant Mike!!! Things that like are understandable and completely worthwhile to utilize.
Or the systems that require you to enter the pass code on a badge that constantly changes the number every 10seconds.

Oh ya our passwords are around 12-15 characters long.

And whom are they protecting with these passwords routines? If someone actually gained access to the network from the outside then these passwords are useless for the most part. And now it is so backwards complicated for just about everyone that people DO post it on their monitors. So anyone inside the building could easily gain access.

 

[norman]

I have to maintain 171 passwords for work. Our requirements are 5 letters and 1 number minimum, they need changed every 45 days and they can't repeat themselves. Now you can't simply use the same word, you have to make substantial changes to them. I do have a position that could be used to access a lot of sensitive data, but there are several safeguards besides just these passwords to get into sensitive areas of the company.

Oh and RE, did you get my peanuts wallpapers? Let me know and I can resend them if not.

 

[Moeed]

i require at least 6 digits, no special characters, and it expires in 45 days. Passwords may not be repeated. Email is a 7 digit with atleast one number. It works out alright.

Users just forget there passwords sometimes and require a simple reset, then they can change to what they want.

 

[lasermp5]

lol. they should just implant a retractable usb key in your arm. that way you just put it in when you get to your workstation!

 

[LinuxRacr]

I hate that s*** too. I work in IT, and it gets really annoying.

 

[subaruwrx]

Hmmm.. Have any of you ever tried hacking?

with a standard dictionary cracker, you can crack most 6 character passwords in >20 seconds. You can crack most 8 character passwords in >30 seconds. When you add numbers and letters into it, it goes to >120 minutes on a 6 digit password and >12000 minutes on a 8 digit password.

I work in IT too, and we require these things so that you cannot get hacked as easily. We are typically not worried about someone inside the company having more access than they need, as they would probably not do much with it anyway. What we are worried about is someone hacking out website, our firewalls, and then granting themselves access to our servers.

I also assume you havent had many machines hacked? we had one of our FTP servers hacked a long time ago and found that it was running a quake server. Let me tell you, that it only takes that happening once to make sure your network is secure. Since I am a network admin and senior desktop, I can control what our techs do. we have initial passwords randomly generated and advise users not to share. WE also disable the built in accounts on our NT boxes and have a security guidline to change our root passwords on out unix/linuix boxes every thirty days. We monitor all traffic and port on firewall and servers. We monitor all new user accounts and all new services on servers. Our business is 24/7, and we want it to stay that way. With all thew new security and other things, a bad virus will shut us down for ~2 hours now, as opposed to a day. A hacker will shut one of our network segments down for ~4-6 hours and our network for 1-2. Once again, this is a HUGE improvement on the way things were. The increased productivity DIRECTLY affects our bottom line.

Incidentally, in the past year and a half, we have detected 15+ hack attempts failed due in large part to our security features. Also, we have only had one major virus outbreak that shut our servers down for a period of more than 2 hours.

I think the bottom line speaks for itself!
--A

 

[Micah]

ditto

 

[Matthew]

all my passwords are abc123 except my bank accounts. i figure if you want to look at my computer and download my music, or log in to my computer game clans website as me, be my guest, i have nothing to hide really, unless you want to read my budget.

 

[yashooa]

Well I am in IT as well but our passwords are not that strict 6 characters and can be recycled after 9 times. For anyone with sensitive data on there machine or who has access to such data we have biometric protection via a finger print reader that is installed on the workstation. Plus we can assign rights through group policy at logon yadda yadda there are lots of ways to be secure besides passwords alone. We are very service oriented and like to make our users as happy as we can after all they pay the bills
If someone really screws up ad refuses to comply with the rules for long enough or in a instance that could jeopardize the company then they are locked down and they learn pretty quick no to be dumb with their freedom or they lose it.

 

[Stealth5]

mY password is 397jsgd^#h34S