AVSIG: Password Security....should you change it often? wwswsigarch.jpg (7236 bytes)

✈ . . . . . . ✈ . . . . . ✈ . . . . ✈ . . . ✈ . . ✈ . ✈ . . ✈ . . . ✈ . . . . ✈ . . . . . ✈ . . . . . . Touch-and-Go to our Live Forum (This is a Read-only Archive of the 2004-2017 AVSIG Forum)


AVSIG Discussion Sections >> Hardware/Software

Pages: 1 | 2 | 3 | 4 | 5 | >> (show all)
Scott Dyer [HPN/NY]
Top Gun


Reged: 01/11/03
Posts: 20065
Password Security....should you change it often?
      #428760 - 08/03/16 07:18 PM

From a recent article....
Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: "Encourage your loved ones to change passwords often, making them long, strong, and unique." Cranor wasted no time challenging it.

The reasoning behind the advice is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days.

http://arstechnica.com/security/2016/08/...hnologist-says/


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Scott Dyer [HPN/NY]]
      #428761 - 08/03/16 08:35 PM

Yes, certainly a gripe I have. If a hacker gets ahold of your password, he's likely to use it right away. You'd have to be changing the password daily to have any affect on that.

The only situation where I see it improving security is that it's not usual for coworkers to share passwords. It might be against policy, but the unwritten "prime directive" is "get the job done". Sometimes people need to borrow someone with a higher privilege to get something done. And it's far easier to share a password then to drop what you're doing and help out.

Once a coworker knows someone's password, they can use it anytime - until it's changed.

Of course, most people generate a new password by simply incrementing the required digit. Very easy to figure out. I have yet to run into a system that complains that your new password is too similar to your old one. (I have seen one that complains if the password is too similar to your login name.)


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Scott Dyer [HPN/NY]]
      #428763 - 08/03/16 10:36 PM

Indeed. I used to work at a place which required monthly password changes
and one could not reuse any of the ten previous passwords or anything "too
similar" to any of them.

The antidote was developed by the guy who beat me to it -- a batch script
which generated eleven random strings, changed the password to each one in
turn, then changed the password back to what it had been.

It would have taken a much sharper IT person than any at that company to see
that users had changed passwords multiple times in less than one minute.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dyer [HPN/NY]
Top Gun


Reged: 01/11/03
Posts: 20065
Re: Password Security....should you change it often? [Re: Ray Tackett]
      #428764 - 08/03/16 10:47 PM

I love it!

Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Scott Dyer [HPN/NY]]
      #428765 - 08/03/16 10:50 PM

Scott, a couple of comments.

1) What are the odds of you, or me, or the guy down the block getting hit by
a hacker? I submit we are more likely to become involved in an automobile
accident, with the potential for far more serious results.

2) What do we have on our computers, or in password protected links to other
data, that would REALLY be serious if a hacker got to it? I learned many
years ago, never write anything you would not want on the front page of
tomorrow's NYT. Perhaps my most precious data is found in my brokerage and
bank accounts. All of those agencies I deal with I trust to (eventually)
make things right if someone other than I moves stuff around.

I have a list of about 60 sites I log onto where I am required to have a
password. They are literally procedural in nature. My life would hardly
change if any, or all, of my data at those sites were made public. A hacker
could mess up my data files, but that is why I have backups.

In my view, passwords mostly prevent me from logging on to the wrong account,
or someone else accidentally logging on to mine.

If all the energy expended on passwords and their use was instantly converted
to cancer research we would have a cure for it tomorrow.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Ray Tackett]
      #428767 - 08/03/16 11:10 PM Attachment (133 downloads)

Quote:

The antidote was developed by the guy who beat me to it -- a batch script which generated eleven random strings, changed the password to each one in turn, then changed the password back to what it had been.

It would have taken a much sharper IT person than any at that company to see that users had changed passwords multiple times in less than one minute.




You wouldn't have been able to pull that off where I work. This is the tools Microsoft gives admins:



It would take 11 days to cycle through 11 passwords.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dyer [HPN/NY]
Top Gun


Reged: 01/11/03
Posts: 20065
Re: Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428769 - 08/04/16 06:57 AM

For much in personal accounts, I largely agree with you, Ward. Still, some CC data would result in inconvenience.

The more significant area is in commercial accounts. Back when I was in practice, I had regular access to very valuable inside information about many large public companies and was duty bound by law and ethical codes to keep it strictly confidential. There's a market for that data and using password security is one way of keeping the data private.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428774 - 08/04/16 08:45 AM

Ward,

I haven't checked lately. But a year or so ago, I saw a figure that stated
that if you bring up a computer on the internet, that is, where it gets
assigned an IP address directly, rather than an unroutable IP address on the
safe side of a firewall (a firewall is typically provided by a DSL or cable
"modem", which is almost certainly what you have at home) that brand new
computer with its brand new IP address starts getting hit by automated
attacks coming from all over the world within seconds.

If you use e-mail or do web searchs, you are vulnerable to attack. The bad
guys spend significant effort attacking legitimate web sites, which, by their
nature, have to live on the public side of firewalls. If they can break
through, they can install scripts into the attacked server's web pages that
do bad things on your computer when you access the site.

Me? I use LastPass. Yes, vulnerabilities have popped up there, but they
obviously work hard at preventing vulnerabilities and closing them when they
are found. I also keep passwords in an encrypted Microsoft Word document on
my computer; the password for that file has eleven characters and would take,
using current technology, a very long time to be cracked using brute force.

For an interesting exercise in paranoia:

https://www.wired.com/2016/06/clever-attack-uses-sound-computers-fan-steal-dat
a/

That all said: You are possibly right. I do have a couple of passwords I
reuse for convenience, like my "accounts" at nytimes.com and latimes.com,
because who the hell cares if they get hacked? My Paypal account, however,
gets treated differently; that password is a unique string of sixteen
gobbledegook characters generated by LastPass; I have never typed it and I
don't know what it is. And I am mulling over using two-factor authentication
there.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428778 - 08/04/16 10:30 AM

What Scott said. My banking and CC data is important to me.

The last couple of places I worked, we had customer code and data chunks
submitted for problem analysis. All that data was under a nondisclosure
agreement which was part of the license agreement. I.e., you buy a license
and it binds customer and vendor to mutual nondisclosure.

At each place, several sets of customers were mutually competetive, so
nondisclosure was a must.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Ray Tackett]
      #428792 - 08/04/16 02:27 PM

OK, employer's non-disclosure data has a password need, but I've never been
involved in such so personally I don't care.

>> My . . . CC data is important to me. <<

Me too, but four (4!) times my CC data has been hacked while in possession of
CC sub-contractors. My passwords were never involved. In several other and
different cases a total of about $12,000 has been falsely charged to my
various CC accounts. I have no idea how they found my CC numbers, but again
my passwords were not involved.

I may over state my position (as usual <g>), but in virtually all cases in my
life passwords and the rules applying to them are needlessly and grossly more
complex than the value of the data they are proposing to protect.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Bob Dubner]
      #428793 - 08/04/16 02:27 PM

Bob, I've read countless horror stories about hackers getting around password
protected territory. Also common are the stories told to me, "a guy told a
friend of mine about . . ."

I've never personally known anyone who has had their data hacked. Malicious
crap screwing up the computer? It has happened to me and many people I know.
But data? Never.

I think the need for passwords, in general, is extremely over stated. And
the complexity of how some passwords must be formed is ridiculous, to the
extreme.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428817 - 08/05/16 12:26 AM

From your perspective, I mostly agree with you. My point was that there are
other valid perspectives.

For an extreme case, I worked for a short time (my choice about short) at
place which wrote medical practice management software. One component was
checking prescriptions for insurance and interactions and doctor shopping.

My employer's servers were trusted by the insurance clearing house, a joint
effort of several insurers. In turn, the company had to validate the
requests coming in from medical practices as legitimate before passing them
through.

I worked in a biometrically secured room where there was a Certificate
Authority machine. Those who don't know what I mean, refer to
https://en.wikipedia.org/wiki/Public_key_certificate and
https://en.wikipedia.org/wiki/Certificate_authority

I would generate and install a certificate on a specific customer machine
which had a fixed (not dynamic) IP address. It took the combination of the
IP address and the certificate which had been generated for that specific
machine which validated requests and permitted return data to be received.

In short, this went beyond password security. HIPAA is a powerful motivator
for data security.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428823 - 08/05/16 02:02 AM

Ward, I have another one for you.

A woman who lives in my building has been having trouble with somebody
targeting her. So, although for you this is still "I know a guy who knows a
guy..." for me it's a bit closer.

Specifically, the bad guy repeatedly tried and failed, intentionally, to log
into my friend's back account, doing it enough times that the system locked
out the account. The bad guy then called the bank by phone and successfully
impersonated my friend, getting the bank to reset the password to the bad
guy's choice. The bad guy then proceeded to siphon some money out.

Within a few hours, my friend figured out something was going on, and got the
bank to do a password reset.

The next day, the bad guy started over and did it *again*.

The bad guy is clearly a very accomplished practioner of "social engineering".

The damage was modest, because other evidence suggested that the bad guy
wasn't actually targeting my friend's bank account. She is a finance officer
for a building management company that keeps the operating accounts for a
dozen or so large residential buildings in that same bank. The bad guy was
apparently trying to leverage his way into those accounts, which have many
millions of dollars in them. Those accounts, by their nature, have
additional safeguards, and the bad guy wasn't able to get close to them.

Within the last year somebody hacked into my e-mail server's account at
panix.com; for about a week they were logging in as me and sending much
spam. Changing that password made that problem go away.

<shrug> The problems are real.

The formation rules can be, I agree, ridiculous, except when you consider
that something like one third of all passwords are, simply, the word
"password".

I do wish the heuristics were often more flexible. If I use as a password
the phrase "to be or not to be, that is the gezorninplat" the furshlurginer
system has absolutely *no* call to reject it on the grounds that there are no
capital letters in it.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Terry Carraway
Top Gun


Reged: 06/02/04
Posts: 7098
Loc: Maryland
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #428829 - 08/05/16 06:49 AM

Quote:

Ward,

I haven't checked lately. But a year or so ago, I saw a figure that stated
that if you bring up a computer on the internet, that is, where it gets
assigned an IP address directly, rather than an unroutable IP address on the
safe side of a firewall (a firewall is typically provided by a DSL or cable
"modem", which is almost certainly what you have at home) that brand new
computer with its brand new IP address starts getting hit by automated
attacks coming from all over the world within seconds.






Our first higher speed (than a modem) connection was ISDN. I do not remember why, but we connected without a router, but sharing the connection over a computer.

The first thing I did was start up BlackICE Defender. And within 1 - 2 seconds of getting the connection, the IP address was being hit MANY times.

And this was back in the early 90s.

--------------------
Terry
Mostly 0W3


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Bob Dubner]
      #428830 - 08/05/16 06:53 AM

Yeah, I know there is a real need for passwords. It is just that the
satisfaction toward that need has gotten blown way out of the picture.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Ray Tackett]
      #428831 - 08/05/16 06:53 AM

Yep, I understand. As I told Bob, I think the password business has gotten
far afield from the original intent. Seems no one is asking, "Why are we
here?"


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428841 - 08/05/16 11:42 AM

Ward, I don't disagree; the effort and attention paid to passwords is another
example of 1) Looking for your keys under the streetlight, because
that's where you can see, and/or 2) blaming the victim. In most cases the
effort involved isn't justified by the value of the information being secured.

But you don't want a successful attack on IDontCare.com to reduce your
security on StoreYourMoneyHere.com, either.

One main reason for using different passwords on different systems, and
changing them fairly frequently, is because so damned many servers are being
successfully hacked. So, if somebody breaks into IndifferentSecurity.com and
steals their password file, which in the worst case idiotically stores your
password in the clear, then they can start trying that password at
Amazon.com, EveryBank.com, and so on.

Even if the password itself isn't stored, but rather a cryptographic hash,
the Bad Guys have developed sophisticated means of figuring out whether that
hash is known to be associated with a password. If it is, then they can go
back to trying that password elsewhere.

As the arms race continues, the standard means of dealing with that problem
is to concatenate a 128-bit (or more) strong random number called a "salt"
with your password before generating the hash; the salt gets stored along
with your username and the final hash for verifying your password in the
future.

But, basically, *you* have to keep changing your password because *their*
security can't be completely trusted.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Bob Dubner]
      #428850 - 08/05/16 02:19 PM

Bob, what is the reason for changing a password frequently?

If the bad guy doesn't crack it this week, does it mean as the p/w ages it
becomes more likely to be broken? Or does he crack half of it this week and
the other half next week? I don't think so.

And why must I include Upper Case and Numerals at one site, yet not at
another? Can it be proved the latter site is less secure?


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428851 - 08/05/16 02:37 PM

Quote:

Can it be proved the latter site is less secure?



Yes. If it's known the password is all lower case letters, it take fewer combinations to go though every possible combination. It would also discourage the trivially simple passwords (like "password") that's often the starting point for any attack on the password file.

If the password must be 8 characters, lower-case only would be 26^8 or 208,827,064,576 combinations. (Or we can simplify that by using a dictionary attack under the theory it's a single word. That would be somewhere in the tens of thousands of combinations.) But require one upper, one lower and one number and we're talking 62^8 or 218,340,105,584,896 - about 1045 times more complex.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Nancy Zeitlin [HPN]
AVSIG Member


Reged: 04/29/04
Posts: 2728
Loc: KHPN
Re: Password Security....should you change it often? [Re: Russell Holton]
      #428863 - 08/05/16 05:11 PM

RH> It would also discourage the trivially simple passwords (like "password") that's often the starting point for any attack on the password file.

I'm encountering an increasing number of sites doing their own dictionary lookup on submitted passwords and rejecting them if in their list...


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Russell Holton]
      #428868 - 08/05/16 06:37 PM

>> If it's known the password is all lower case letters . . . <<

But the bad guy doesn't know that, so he must test for caps and numbers too.
I've never seen a site that forbids caps and numbers, have you?

>> ....about 1045 times more complex. <<

So what? Does that take the bad guy's computer another couple of seconds?


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428877 - 08/05/16 08:47 PM

The argument for changing passwords is in case the server gets hacked and the
password files stolen.

The bad guys can then run cracking attacks on the password file. Those
attacks can take a long time, but in principle they will eventually succeed.
A policy of changing passwords means that even if your password is found by
cracking, it won't do the bad guys much good because it'll already have been
changed during the cracking period.

This is the argument against using passwards like NinaNina1 followed by
NinaNina2 when forced to make a change. Easy for you to remember, sure, but
also easy for bad guys to figure out the second one once they've cracked the
first. And the pros know all about stuff like NinaNina1; a lot of people do
that. Hell, I do that for relatively unimportant accounts.

Google "new technology cracks strong passwords forbes" for a Forbes article
about the human vulnerabilities of passwords.

And Russell has already responded: The more characters that can be used in
the password, the harder a brute force search becomes. The reductio ad
absurdum is this: If the alphabet consists of just the letter 'A', then
cracking a password is trivial, since the possibilities are A, AA, AAA, and
so on. In other words, there is only one ten-character password. Make it
any upper case character, and there are 26**10 possibilities: 141 trillion.
Make it any upper or lower case letter, and there are 52**10 possibilities:
146 quadrillion.

Modern desktop computers can try hundreds of millions of passwords per
second, for some kinds of hashes. If outfitted with GPU processors -- which
are cheap -- there are cracking tools that can try billions of passwords per
second. At that rate, those 141 trillion ten-character single-case passwords
can be broken in less than a day.

Again, this is an arms race, and modern password encryption is much trickier
than just hashing a ten-character string. (Search out "bcrypt" and "scrypt",
for example.) That kind of technology makes cracking harder.

I personally use LastPass for most of my password stuff these days, and
anything like banking or PayPal or credit card access uses randomly
generated 12- to 16-character passwords like "Aq&,bzQoP#3z7" and I never even
look at them.

But I keep looking at other possibilities; I figure that sooner or later I'll
start using two-factor authentication for important stuff. That means I'll
have to keep my smart phone with me all the time so that the site can text me
a one-time-only number each time I log in.

There's a lot of excitement about the fingerprint readers now found on smart
phones and tablets. But they scare me a little; inexpensive readers don't
need my thumb to be attached to me, nor do they care whether or not I am
alive.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Nancy Zeitlin [HPN]]
      #428878 - 08/05/16 08:47 PM

Ward, this conversation is -- sort of -- demonstrating why even 8-character
passwords are no longer considered automatically safe.

As I said elsewhere, modern cracking programs on GPU equipped computers can
try about 2.8 billion passwords per second. 26**8 is about 209 billion, and
such a program would take about 75 seconds to go through all of them.

So, yeah, 1,045 times that would be 22 hours.

And as Nancy points out, the bad guys would have created a dictionary of all
of those possibilities. I haven't really designed a system, but suppose the
hash is 256 bits. Storing 209 billion of those would be about 7 terabytes,
which is about $200 of disk storage these days. Fussing and fiddling with
hash storage techniques means that it would take a few milliseconds to come
up with a your password. And that covers *every* possible 8-character
lower-case password for a particular hashing algorithm.

Again, I am not the first person to figure this out; modern password
encryption has grown complicated for the express purpose of reducing
vulnerability to dictionary attacks. Googling "rainbow table" will give you
an idea about how the ever-escalating arms war in passwords and password
crackers has evolved.

Passwords are an area where the bad guys have infinite time and infinite
resources to break the efforts of the good guys. Strange and wonderful
things happen as a result. So my back of the envelope guesswork here is
naive and criminally incomplete; the bad guys are much more advanced than I
am after thinking about it for almost fifteen whole minutes.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428880 - 08/05/16 09:19 PM

Quote:

But the bad guy doesn't know that, so he must test for caps and numbers too.
I've never seen a site that forbids caps and numbers, have you?




Many sites now require a mix.

But the point is that if you allow all lower case, then chances are there are a number of common passwords in all lower case and the hacker can crack them. And once you've cracked some, now you know how that system encodes them and it becomes easier to crack the rest.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #428881 - 08/05/16 09:26 PM

Quote:

There's a lot of excitement about the fingerprint readers now found on smart phones and tablets. But they scare me a little; inexpensive readers don't need my thumb to be attached to me, nor do they care whether or not I am
alive.




What I don't get is how it's that much more secure than the mag stripe on the back of a credit card. If you've broken into the system, once you get ahold of the data the thumbprint reader creates, you don't even need the reader.

In case your thumb's data has been stolen, good luck changing your thumb.


Post Extras: Print Post   Remind Me!   Notify Moderator  
sreyoB yrraL
AVSIG Member


Reged: 05/16/04
Posts: 9442
Re: Password Security....should you change it often? [Re: Russell Holton]
      #428883 - 08/05/16 09:50 PM

The Security Now podcast has talked extensively about passwords and security (go figure) over the years. It makes a lot of sense while I'm listening to the explanations of the technology, techniques, and challenges but I don't remember enough of the details to relate them. I do remember that eliminating words found in the dictionary, have both upper and lowercase letters, and including both numbers and symbols takes a brute force attack from trivial to nearly impossible due to the amount of time it will take to find a solution.

https://www.grc.com/securitynow.htm

Search for something like "passwords" in the episode descriptions.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Bob Dubner]
      #428884 - 08/05/16 10:29 PM

>> The argument for changing passwords is in case the server gets hacked and
the password files stolen. <<

Okay, so they recommend changing all my 60 passwords once a week. That would
take a minimum of 3 hours. But wait a minute! What if the guys break into
the server in 4 days? Guess I should change them every other day. Maybe
daily?

Bob, I'll let all you guys worry about passwords. I've said before, I have
nothing to protect that matters that much. I suspect if some who are hot
about passwords, if they REALLY thought about it, have the same situation.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428924 - 08/06/16 08:00 PM

<grin> Ward, you aren't wrong.

I don't change most of my passwords, for just the reason you describe: I
really don't care if somebody hacks into my nytimes.com account.

And it would be a pretty sad hacker making a significant effort to get into
nytimes.com. What would be the point?

Most of the fuss and bother has to do with business accounts and the like. I
don't work at an asset management firm any more, but all of the computers in
the company are attached to the same network -- and I had a lot of
capability; I had access to many shared folders, and I had a lot -- a *real*
lot -- of power in several of the databases.

If somebody hacked into the system, got hold of the right password file, and
started cranking and grinding on it, found my password and used it to log in
as me and start doing Bad Things using my permissions, it conceivably would
have made the front page of the New York Times business section, have
resulted in a big hit on the stock price, and could have resulted in a bunch
of people and institutions closing their accounts. I took that seriously; I
used long, nasty passwords, and I changed them more often than the 90 days
that company policy required.

And, yeah, that requires two steps; they'd have to know my password, and
they'd have to have access to the system -- that is, they'd have to be behind
the firewall. I used long, nasty passwords anyway.

The company is under constant, and serious, attack. All the financial firms
are; that's where the money is.

And that's where the bad guys can get leverage. Most companies use Windows
as their desktop machines. The Windows password mechanism is well known and
doesn't use salting, and so huge cracking dictionaries for Windows passwords
have been built.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dyer [HPN/NY]
Top Gun


Reged: 01/11/03
Posts: 20065
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #428931 - 08/06/16 09:14 PM

Quote:

I don't work at an asset management firm any more, but all of the computers in the company are attached to the same network -- and I had a lot of capability; I had access to many shared folders, and I had a lot -- a *real* lot -- of power in several of the databases. ****

The company is under constant, and serious, attack. All the financial firms
are; that's where the money is.




Bob -- Yup. Our IT guys know that they can't stop a determined attack from, among others, a sovereign power (pick your favorite bad actor). But we can keep some of the others relatively at bay. And our bank clients are very much the driver in requiring law firms to do more with their IT security. It's a bit of a mixed bag because it has shut down a lot of professional access to files that can be helpful as forms from one deal to the next.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Bob Dubner]
      #428940 - 08/06/16 10:41 PM

Another reason for a long, nasty password behind the firewall: You don't
know on which side of the firewall the next bad guy is.

My time in data security consulting (long time ago) was involved entirely
with internal threats, e.g., skimming the fractional cents off the daily
compound interest calculations. Lotsa variations on that theme, nearly all
of which would be caught instantly today.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Scott Dyer [HPN/NY]]
      #428941 - 08/06/16 10:41 PM

>>> ... requiring law firms to do more with their IT security.

True, but SQL injection ala "Little Bobby Tables" is still a common
vulnerability.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ralph Jones
Top Gun


Reged: 08/31/01
Posts: 21214
Loc: 4CO2
Re: Password Security....should you change it often? [Re: Ray Tackett]
      #428944 - 08/06/16 11:16 PM

Quote:

internal threats, e.g., skimming the fractional cents off the daily compound interest calculations



Did you run into Jennifer Aniston <g>?

--------------------
Ralph Jones
LS-4a N49LS 6R


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Ralph Jones]
      #428960 - 08/07/16 12:00 PM

No, but the major embarrassment, long after the roundoff skim had become old
hat, was the guy who was caught by the marketing department.

Marketing studied teller utilization, slicing and dicing the data in various
ways. In a customer sort, the top guy averaged six hundred thousand teller
transactions per month, all for amounts under one dollar. Of course, that's
physically impossible. When the "customer" turned out to be an employee,
they passed the data to security.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Ray Tackett]
      #428966 - 08/07/16 02:33 PM

Ray, back about 1965 I first heard of a computer crime. A programmer at a
Minneapolis bank took the fractions of a cent left over for the passbook
nightly calculations and moved them to his account. It was a tough act to
pinpoint, but they finally caught him, after many thousands of dollar.

They wanted to try him for embezzlement, which had a very serious sentence,
but discovered he was a contract employee. So they had to settle for a much
lighter sentence.

Since then I've read several similar stories, some purely fiction. This one
may have been the source of those story-lines.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428970 - 08/07/16 02:58 PM

It used to be easy enough to do if you were inside and had computer access.
Database security was often nonexistent then.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ralph Jones
Top Gun


Reged: 08/31/01
Posts: 21214
Loc: 4CO2
Re: Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428973 - 08/07/16 04:51 PM

That is a plot element in this 1999 comedy, which is practically a holy ritual in the IT community (and the basis for my reference to Jennifer Aniston a few posts up). The character who brings it up acknowledges the defeated attempt in 1995.

--------------------
Ralph Jones
LS-4a N49LS 6R


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Ralph Jones]
      #428978 - 08/07/16 06:50 PM

Ralph, that incident, in 1965, was the first computer crime I ever heard of.

The next one I heard about, in 1966, was a time when computer managers were
getting a bit smarter. In this case they found someone had tampered with a
major application, causing severe financial repercussions. They knew it must
have been one of their own programmers, but hadn't a clue.

The hired investigator was discussing it with the CEO, in his top floor
office. He was aimlessly looking out the window onto the employee's parking
lot.

Investigator: Hummm. Who owns that beautiful Rolls-Royce down there?

CEO: Oh, one of our junior programmers.

Investigator: Well?


Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dunham (RDU)
Top Gun


Reged: 04/29/04
Posts: 6470
Loc: Chapel Hill, NC
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #429226 - 08/12/16 10:40 AM

And for you trivia buffs, the source of Bob's "to be or not to be, that is the gezorninplat" quote is...?

Post Extras: Print Post   Remind Me!   Notify Moderator  
Ralph Jones
Top Gun


Reged: 08/31/01
Posts: 21214
Loc: 4CO2
Re: Password Security....should you change it often? [Re: Scott Dunham (RDU)]
      #429228 - 08/12/16 10:56 AM

A million typing monkeys?

--------------------
Ralph Jones
LS-4a N49LS 6R


Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dunham (RDU)
Top Gun


Reged: 04/29/04
Posts: 6470
Loc: Chapel Hill, NC
Re: Password Security....should you change it often? [Re: Ralph Jones]
      #429244 - 08/12/16 05:24 PM

Good for partial credit...

Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Scott Dunham (RDU)]
      #429264 - 08/12/16 10:51 PM

I'm pleased that I'm not the only one who knows where that came from.

Post Extras: Print Post   Remind Me!   Notify Moderator  
Richard Palm (PAO)
Top Gun


Reged: 04/30/04
Posts: 5388
Loc: PUDBY
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #429265 - 08/12/16 11:14 PM

One area of vulnerability that I've been concerned about is that many sites have a password reset process that involves sending you an email. That puts a rather high premium on using a strong password for your email account, I'd say.

Post Extras: Print Post   Remind Me!   Notify Moderator  
Scott Dunham (RDU)
Top Gun


Reged: 04/29/04
Posts: 6470
Loc: Chapel Hill, NC
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #429267 - 08/12/16 11:38 PM

Hey -- I think we've got something here...

Classic.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1 | 2 | 3 | 4 | 5 | >> (show all)



Extra information
0 registered and 112 anonymous users are browsing this forum.

Moderator:  Mike Overly 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 7116

Rate this topic

Jump to

Contact Us AVSIG

Powered by UBB.threads™ 6.5.5

Logout   Main Index    AVSIG Aviation Forum