AVSIG: Password Security....should you change it often? wwswsigarch.jpg (7236 bytes)

✈ . . . . . . ✈ . . . . . ✈ . . . . ✈ . . . ✈ . . ✈ . ✈ . . ✈ . . . ✈ . . . . ✈ . . . . . ✈ . . . . . . Touch-and-Go to our Live Forum (This is a Read-only Archive of the 2004-2017 AVSIG Forum)


AVSIG Discussion Sections >> Hardware/Software

Pages: 1 | 2 | 3 | 4 | 5 | >> (show all)
Scott Dyer [HPN/NY]
Top Gun


Reged: 01/11/03
Posts: 20065
Password Security....should you change it often?
      #428760 - 08/03/16 07:18 PM

From a recent article....
Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: "Encourage your loved ones to change passwords often, making them long, strong, and unique." Cranor wasted no time challenging it.

The reasoning behind the advice is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days.

http://arstechnica.com/security/2016/08/...hnologist-says/


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Scott Dyer [HPN/NY]]
      #428761 - 08/03/16 08:35 PM

Yes, certainly a gripe I have. If a hacker gets ahold of your password, he's likely to use it right away. You'd have to be changing the password daily to have any affect on that.

The only situation where I see it improving security is that it's not usual for coworkers to share passwords. It might be against policy, but the unwritten "prime directive" is "get the job done". Sometimes people need to borrow someone with a higher privilege to get something done. And it's far easier to share a password then to drop what you're doing and help out.

Once a coworker knows someone's password, they can use it anytime - until it's changed.

Of course, most people generate a new password by simply incrementing the required digit. Very easy to figure out. I have yet to run into a system that complains that your new password is too similar to your old one. (I have seen one that complains if the password is too similar to your login name.)


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Scott Dyer [HPN/NY]]
      #428763 - 08/03/16 10:36 PM

Indeed. I used to work at a place which required monthly password changes
and one could not reuse any of the ten previous passwords or anything "too
similar" to any of them.

The antidote was developed by the guy who beat me to it -- a batch script
which generated eleven random strings, changed the password to each one in
turn, then changed the password back to what it had been.

It would have taken a much sharper IT person than any at that company to see
that users had changed passwords multiple times in less than one minute.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dyer [HPN/NY]
Top Gun


Reged: 01/11/03
Posts: 20065
Re: Password Security....should you change it often? [Re: Ray Tackett]
      #428764 - 08/03/16 10:47 PM

I love it!

Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Scott Dyer [HPN/NY]]
      #428765 - 08/03/16 10:50 PM

Scott, a couple of comments.

1) What are the odds of you, or me, or the guy down the block getting hit by
a hacker? I submit we are more likely to become involved in an automobile
accident, with the potential for far more serious results.

2) What do we have on our computers, or in password protected links to other
data, that would REALLY be serious if a hacker got to it? I learned many
years ago, never write anything you would not want on the front page of
tomorrow's NYT. Perhaps my most precious data is found in my brokerage and
bank accounts. All of those agencies I deal with I trust to (eventually)
make things right if someone other than I moves stuff around.

I have a list of about 60 sites I log onto where I am required to have a
password. They are literally procedural in nature. My life would hardly
change if any, or all, of my data at those sites were made public. A hacker
could mess up my data files, but that is why I have backups.

In my view, passwords mostly prevent me from logging on to the wrong account,
or someone else accidentally logging on to mine.

If all the energy expended on passwords and their use was instantly converted
to cancer research we would have a cure for it tomorrow.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Ray Tackett]
      #428767 - 08/03/16 11:10 PM Attachment (133 downloads)

Quote:

The antidote was developed by the guy who beat me to it -- a batch script which generated eleven random strings, changed the password to each one in turn, then changed the password back to what it had been.

It would have taken a much sharper IT person than any at that company to see that users had changed passwords multiple times in less than one minute.




You wouldn't have been able to pull that off where I work. This is the tools Microsoft gives admins:



It would take 11 days to cycle through 11 passwords.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dyer [HPN/NY]
Top Gun


Reged: 01/11/03
Posts: 20065
Re: Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428769 - 08/04/16 06:57 AM

For much in personal accounts, I largely agree with you, Ward. Still, some CC data would result in inconvenience.

The more significant area is in commercial accounts. Back when I was in practice, I had regular access to very valuable inside information about many large public companies and was duty bound by law and ethical codes to keep it strictly confidential. There's a market for that data and using password security is one way of keeping the data private.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428774 - 08/04/16 08:45 AM

Ward,

I haven't checked lately. But a year or so ago, I saw a figure that stated
that if you bring up a computer on the internet, that is, where it gets
assigned an IP address directly, rather than an unroutable IP address on the
safe side of a firewall (a firewall is typically provided by a DSL or cable
"modem", which is almost certainly what you have at home) that brand new
computer with its brand new IP address starts getting hit by automated
attacks coming from all over the world within seconds.

If you use e-mail or do web searchs, you are vulnerable to attack. The bad
guys spend significant effort attacking legitimate web sites, which, by their
nature, have to live on the public side of firewalls. If they can break
through, they can install scripts into the attacked server's web pages that
do bad things on your computer when you access the site.

Me? I use LastPass. Yes, vulnerabilities have popped up there, but they
obviously work hard at preventing vulnerabilities and closing them when they
are found. I also keep passwords in an encrypted Microsoft Word document on
my computer; the password for that file has eleven characters and would take,
using current technology, a very long time to be cracked using brute force.

For an interesting exercise in paranoia:

https://www.wired.com/2016/06/clever-attack-uses-sound-computers-fan-steal-dat
a/

That all said: You are possibly right. I do have a couple of passwords I
reuse for convenience, like my "accounts" at nytimes.com and latimes.com,
because who the hell cares if they get hacked? My Paypal account, however,
gets treated differently; that password is a unique string of sixteen
gobbledegook characters generated by LastPass; I have never typed it and I
don't know what it is. And I am mulling over using two-factor authentication
there.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428778 - 08/04/16 10:30 AM

What Scott said. My banking and CC data is important to me.

The last couple of places I worked, we had customer code and data chunks
submitted for problem analysis. All that data was under a nondisclosure
agreement which was part of the license agreement. I.e., you buy a license
and it binds customer and vendor to mutual nondisclosure.

At each place, several sets of customers were mutually competetive, so
nondisclosure was a must.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Ray Tackett]
      #428792 - 08/04/16 02:27 PM

OK, employer's non-disclosure data has a password need, but I've never been
involved in such so personally I don't care.

>> My . . . CC data is important to me. <<

Me too, but four (4!) times my CC data has been hacked while in possession of
CC sub-contractors. My passwords were never involved. In several other and
different cases a total of about $12,000 has been falsely charged to my
various CC accounts. I have no idea how they found my CC numbers, but again
my passwords were not involved.

I may over state my position (as usual <g>), but in virtually all cases in my
life passwords and the rules applying to them are needlessly and grossly more
complex than the value of the data they are proposing to protect.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1 | 2 | 3 | 4 | 5 | >> (show all)



Extra information
0 registered and 101 anonymous users are browsing this forum.

Moderator:  Mike Overly 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 7122

Rate this topic

Jump to

Contact Us AVSIG

Powered by UBB.threads™ 6.5.5

Logout   Main Index    AVSIG Aviation Forum