Current Events > i want to enforce strict passwords at work, am i insane

(+) Yeah! (+)

so at the moment we have a weak password policy. basically anything goes. i want to make it like minimum of 12 characters, plus mix of lower, up, numbers and special
i expect fierce resistance, plus more people than there already are putting labels and sticky notes on their screens listing their passwords

surely there must be a good way to get people to make real passwords and not be dumb fucks
---

Maybe get them to just add !!! to the start and end of their passwords to start.
---

Nope, you are not insane. We enforce that too just in case we get hacked.

If you want to become a HIPAA-compliant company, that will help enforce passwords a lot quicker too (but could also make you poor if you are ever found in violation of breaking it).
---

https://xkcd.com/936/

Rather than making needlessly complicated passwords a thing, why not encourage stronger passwords that people can actually remember?

But regardless of that, if you want to enforce stronger password policy, you better also put in place a robust process to help people get their passwords reset.
---

pinky0926 posted...

https://xkcd.com/936/

Rather than making needlessly complicated passwords a thing, why not encourage stronger passwords that people can actually remember?

But regardless of that, if you want to enforce stronger password policy, you better also put in place a robust process to help people get their passwords reset.

for that id need to set the password length to like 20 minimum, which i feel would be an even bigger shitstorm
---

12 characters is going a bit overboard
---

Just do a length requirement, at least one capital, and at least one number.

Anything more than that is just annoying.

Rika_Furude posted...

surely there must be a good way to get people to make real passwords and not be dumb fucks

What I usually do is sending an email from their account to their manager saying something like "you're a clown". They tend to be more careful after that.
---

Just have people request a new password sent to their phone every time they log in.
---

Bolle_Henk_ posted...

Rika_Furude posted...

surely there must be a good way to get people to make real passwords and not be dumb fucks

What I usually do is sending an email from their account to their manager saying something like "you're a clown". They tend to be more careful after that.

this is how i'll get my first and final warning years down the track when i've had enough of dealing with that one guy
---

scar the 1 posted...

Just have people request a new password sent to their phone every time they log in.

not everyone gets a work mobile here + we dont allow BYOD
---

a 6 or 8 character minimum, capital letter and number is fine. A special character requirement should be punishable by death
---

bevan306 posted...

a 6 or 8 character minimum

brute forced in seconds
---

well I dunno, can't you do some lockout policy or something, sounds better than inconveniencing staff. Maybe cause I work in the NSW public system and they are extremely lax with password character requirements, I think there would be uproar otherwise
---

Rika_Furude posted...

not everyone gets a work mobile here + we dont allow BYOD

personal phone?
---

sauceje posted...

Rika_Furude posted...

not everyone gets a work mobile here + we dont allow BYOD

personal phone?

yeah we dont allow BYOD
---

bevan306 posted...

well I dunno, can't you do some lockout policy or something, sounds better than inconveniencing staff. Maybe cause I work in the NSW public system and they are extremely lax with password character requirements, I think there would be uproar otherwise

we do already do that, but i dont think it works for cached credentials. so a stolen laptop could be taken offline and then brute force attempts made
---

https://xkcd.com/936/

how accurate is this comic?
---

My personal opinion on cyber security is that passwords & encryption are probably the LEAST important part of the puzzle; yes they're important, but it doesn't matter how good your system is at the technical level, if the secretary can be tricked into giving the critical information, anyway way. Brute force will ultimately always work if given enough time & computing power, making the best defense against that is either limit attempts or make the password too complicated for brute force to be practical. Exploits are always lurking in the corner somewhere, & hackers are always hunting for new ones; that one usually comes down to the developer's responsibility to supply updates to correct.
---

Rika_Furude posted...

surely there must be a good way to get people to make real passwords and not be dumb fucks

"If you make something idiot proof the universe will create a better idiot"

Also if you're the one that unlocks passwords have fun with that. If you're not the one who unlocks passwords then whoever that is will also want your blood. There is a way with active directory to setup a self service unlock site, but that's far beyond what I do.
---

Your OP seems to indicate your workplace has a problem of multiple user accounts and passwords for them to remember as opposed to a resistance to a more secure password policy. Implement sso.
---

MedeaLysistrata posted...

https://xkcd.com/936/

how accurate is this comic?

extremely accurate. although its still a good idea to throw a number, cap and symbol in there just so that dictionary attacks are ineffective
---

thelovefist posted...

Your OP seems to indicate your workplace has a problem of multiple user accounts and passwords for them to remember as opposed to a resistance to a more secure password policy. Implement sso.

impossible in our scenario. we are working towards SSO for a lot of things, but various supplier services dont have any sort of SSO or anything + they have the worst password requirements like exactly 6 character and lower case only no numbers. and if we move away from these suppliers we lose 99% of our revenue stream
---

Rika_Furude posted...

MedeaLysistrata posted...

https://xkcd.com/936/

how accurate is this comic?

extremely accurate. although its still a good idea to throw a number, cap and symbol in there just so that dictionary attacks are ineffective

ah, cool, didn't know that the extra number would make a difference or not
---

MedeaLysistrata posted...

Rika_Furude posted...

MedeaLysistrata posted...

https://xkcd.com/936/

how accurate is this comic?

extremely accurate. although its still a good idea to throw a number, cap and symbol in there just so that dictionary attacks are ineffective

ah, cool, didn't know that the extra number would make a difference or not

Remember that episode of Family Guy where Stewie didn't know his home phone number, so he just starts going "111-1111" in sequence? That's all brute force is. There's 10 numbers total (0-9), so not including area codes, the total possibilities is 10^7 (10*10*10*10*10*10*10).

For a case insensitive password, that's "26^x", where 'x' is the number of characters used. For a case sensitive, it's (26*2)^x, a case sensitive with numbers becomes [(26*2) +10]^x. You can see how this is literally exponential growth. No matter how many calculations per second your computer can do, this eventually becomes to big to be practical.
---

I am pretty sure Active Directory already defaults to 8 characters, at least 1 uppercase, 1 lowercase, and 1 number.
---

Rika_Furude posted...

thelovefist posted...

Your OP seems to indicate your workplace has a problem of multiple user accounts and passwords for them to remember as opposed to a resistance to a more secure password policy. Implement sso.

impossible in our scenario. we are working towards SSO for a lot of things, but various supplier services dont have any sort of SSO or anything + they have the worst password requirements like exactly 6 character and lower case only no numbers. and if we move away from these suppliers we lose 99% of our revenue stream

Imagine thinking you need to depend on suppliers for this even with the usage of 3rd party applications.
---

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Your OP seems to indicate your workplace has a problem of multiple user accounts and passwords for them to remember as opposed to a resistance to a more secure password policy. Implement sso.

impossible in our scenario. we are working towards SSO for a lot of things, but various supplier services dont have any sort of SSO or anything + they have the worst password requirements like exactly 6 character and lower case only no numbers. and if we move away from these suppliers we lose 99% of our revenue stream

Imagine thinking you need to depend on suppliers for this even with the usage of 3rd party applications.

we cant get users to use webex correctly when it literally has arrows pointing to the two buttons you need to press. no way we can educate them to use something like lastpass
---

Rika_Furude posted...

we cant get users to use webex correctly when it literally has arrows pointing to the two buttons you need to press. no way we can educate them to use something like lastpass

Case in point why I argue that systems don't matter so much. Your real battle is almost always with the user.

>.>
---

darkbuster posted...

Rika_Furude posted...

we cant get users to use webex correctly when it literally has arrows pointing to the two buttons you need to press. no way we can educate them to use something like lastpass

Case in point why I argue that systems don't matter so much. Your real battle is almost always with the user.

>.>

Yeah back when I helpdesk'd on the regular I'd always have to remind myself that without idiot users I probably wouldn't have a job. It's a bittersweet relationship.
---

Rika_Furude posted...

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Your OP seems to indicate your workplace has a problem of multiple user accounts and passwords for them to remember as opposed to a resistance to a more secure password policy. Implement sso.

impossible in our scenario. we are working towards SSO for a lot of things, but various supplier services dont have any sort of SSO or anything + they have the worst password requirements like exactly 6 character and lower case only no numbers. and if we move away from these suppliers we lose 99% of our revenue stream

Imagine thinking you need to depend on suppliers for this even with the usage of 3rd party applications.

we cant get users to use webex correctly when it literally has arrows pointing to the two buttons you need to press. no way we can educate them to use something like lastpass

Imagine thinking lastpass is the same as sso.
---

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Your OP seems to indicate your workplace has a problem of multiple user accounts and passwords for them to remember as opposed to a resistance to a more secure password policy. Implement sso.

impossible in our scenario. we are working towards SSO for a lot of things, but various supplier services dont have any sort of SSO or anything + they have the worst password requirements like exactly 6 character and lower case only no numbers. and if we move away from these suppliers we lose 99% of our revenue stream

Imagine thinking you need to depend on suppliers for this even with the usage of 3rd party applications.

we cant get users to use webex correctly when it literally has arrows pointing to the two buttons you need to press. no way we can educate them to use something like lastpass

Imagine thinking lastpass is the same as sso.

i never said that lol. now you're just acting like a dick
---

You'll always get pushback from the endusers. Implement the new password policy and let them complain. If they really push, tell them that corporate security is more important than their laziness.
---

pogo_rabid posted...

You'll always get pushback from the endusers. Implement the new password policy and let them complain. If they really push, tell them that corporate security is more important than their laziness.

until the ceo puts his foot down and gives us an ultimatum: revert the policy or lose our jobs
our ceo is the most luser of all users
---

Rika_Furude posted...

pogo_rabid posted...

You'll always get pushback from the endusers. Implement the new password policy and let them complain. If they really push, tell them that corporate security is more important than their laziness.

until the ceo puts his foot down and gives us an ultimatum: revert the policy or lose our jobs
our ceo is the most luser of all users

Just make sure you get a paper trail so you can CYA when something goes terribly wrong and they try to blame it on IT.
---

Rika_Furude posted...

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Your OP seems to indicate your workplace has a problem of multiple user accounts and passwords for them to remember as opposed to a resistance to a more secure password policy. Implement sso.

impossible in our scenario. we are working towards SSO for a lot of things, but various supplier services dont have any sort of SSO or anything + they have the worst password requirements like exactly 6 character and lower case only no numbers. and if we move away from these suppliers we lose 99% of our revenue stream

Imagine thinking you need to depend on suppliers for this even with the usage of 3rd party applications.

we cant get users to use webex correctly when it literally has arrows pointing to the two buttons you need to press. no way we can educate them to use something like lastpass

Imagine thinking lastpass is the same as sso.

i never said that lol. now you're just acting like a <redacted>

Careful now. You might get put in timeout again.
---

pogo_rabid posted...

Rika_Furude posted...

pogo_rabid posted...

You'll always get pushback from the endusers. Implement the new password policy and let them complain. If they really push, tell them that corporate security is more important than their laziness.

until the ceo puts his foot down and gives us an ultimatum: revert the policy or lose our jobs
our ceo is the most luser of all users

Just make sure you get a paper trail so you can CYA when something goes terribly wrong and they try to blame it on IT.

EDIT: Also, forced password resets every 90 days or so should be standard imo.

they are. people still call us up because:

1) they don't know how to change their passwords (they have video instructions emailed to them when their password is about to expire)
2) they don't know their password is about to expire or "they forgot" (they receive 10 emails leading up to password expiration starting 14 days in advance, plus windows itself sends notifications)
3) they don't want to change their password (tough shit for them, but waste of time dealing with stupid calls like this)
4) they try to change their password and forget it/fuck it up somehow (just... what...)
---

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Rika_Furude posted...

thelovefist posted...

Your OP seems to indicate your workplace has a problem of multiple user accounts and passwords for them to remember as opposed to a resistance to a more secure password policy. Implement sso.

impossible in our scenario. we are working towards SSO for a lot of things, but various supplier services dont have any sort of SSO or anything + they have the worst password requirements like exactly 6 character and lower case only no numbers. and if we move away from these suppliers we lose 99% of our revenue stream

Imagine thinking you need to depend on suppliers for this even with the usage of 3rd party applications.

we cant get users to use webex correctly when it literally has arrows pointing to the two buttons you need to press. no way we can educate them to use something like lastpass

Imagine thinking lastpass is the same as sso.

i never said that lol. now you're just acting like a <redacted>

Careful now. You might get put in timeout again.

i mean, i said acting. because thats what you're doing. you're not serious. so i should stop responding to you.
---

Rika_Furude posted...

pogo_rabid posted...

Rika_Furude posted...

pogo_rabid posted...

You'll always get pushback from the endusers. Implement the new password policy and let them complain. If they really push, tell them that corporate security is more important than their laziness.

until the ceo puts his foot down and gives us an ultimatum: revert the policy or lose our jobs
our ceo is the most luser of all users

Just make sure you get a paper trail so you can CYA when something goes terribly wrong and they try to blame it on IT.

EDIT: Also, forced password resets every 90 days or so should be standard imo.

they are. people still call us up because:

1) they don't know how to change their passwords (they have video instructions emailed to them when their password is about to expire)
2) they don't know their password is about to expire or "they forgot" (they receive 10 emails leading up to password expiration starting 14 days in advance, plus windows itself sends notifications)
3) they don't want to change their password (tough shit for them, but waste of time dealing with stupid calls like this)
4) they try to change their password and forget it/fuck it up somehow (just... what...)

Yep, sounds about standard. We've implemented all passwords reset for all users at the same time, this way everyone is dealing with it concurantly, so some of the more tech savvy users help out the window lickers. And we just bang out the trouble users who email in all at once.

It's "hell week" so to speak, but it's better than getting distracted by dealing with them piecemeal.
---

pogo_rabid posted...

EDIT: Also, forced password resets every 90 days or so should be standard imo.

Force me to use long, tricky passwords that I have to change often and I will keep them written down somewhere.
---

Rika_Furude posted...

pogo_rabid posted...

Rika_Furude posted...

pogo_rabid posted...

You'll always get pushback from the endusers. Implement the new password policy and let them complain. If they really push, tell them that corporate security is more important than their laziness.

until the ceo puts his foot down and gives us an ultimatum: revert the policy or lose our jobs
our ceo is the most luser of all users

Just make sure you get a paper trail so you can CYA when something goes terribly wrong and they try to blame it on IT.

EDIT: Also, forced password resets every 90 days or so should be standard imo.

they are. people still call us up because:

1) they don't know how to change their passwords (they have video instructions emailed to them when their password is about to expire)
2) they don't know their password is about to expire or "they forgot" (they receive 10 emails leading up to password expiration starting 14 days in advance, plus windows itself sends notifications)
3) they don't want to change their password (tough shit for them, but waste of time dealing with stupid calls like this)
4) they try to change their password and forget it/fuck it up somehow (just... what...)

This is exactly why the Megaman Battle Network series concept of a netnavi often feels so practical to me, the more I think about it. In universe, the primary function of the navi is to manage all the details of operations, since the networks are so complicated. Even then, I can't help but feel that even with a human-like AI, users would still find a way to bork it up. Worst case scenario, the AIs would revolt, just out of rage.
---

scar the 1 posted...

pogo_rabid posted...

EDIT: Also, forced password resets every 90 days or so should be standard imo.

Force me to use long, tricky passwords that I have to change often and I will keep them written down somewhere.

Isn't an issue for us. Granted there was a long process of positive reinforcement via a "we see a sticky note, we immediately reset your password" policy. Granted ours isn't super complicated (8 char, spec + num). However our endusers are really compliant towards the policies.
---

pogo_rabid posted...

scar the 1 posted...

pogo_rabid posted...

EDIT: Also, forced password resets every 90 days or so should be standard imo.

Force me to use long, tricky passwords that I have to change often and I will keep them written down somewhere.

Isn't an issue for us. Granted there was a long process of positive reinforcement via a "we see a sticky note, we immediately reset your password" policy. Granted ours isn't super complicated (8 char, spec + num). However our endusers are really compliant towards the policies.

I would happily accept a password reset every time they found my sticky note
---

scar the 1 posted...

pogo_rabid posted...

scar the 1 posted...

pogo_rabid posted...

EDIT: Also, forced password resets every 90 days or so should be standard imo.

Force me to use long, tricky passwords that I have to change often and I will keep them written down somewhere.

Isn't an issue for us. Granted there was a long process of positive reinforcement via a "we see a sticky note, we immediately reset your password" policy. Granted ours isn't super complicated (8 char, spec + num). However our endusers are really compliant towards the policies.

I would happily accept a password reset every time they found my sticky note

I don't think anyone got fired, but several people did get written up
---

Asherlee10 posted...

You'll get less resistance if you do the ol' entropy method.

Lmao nice
---

Rika_Furude posted...

sauceje posted...

Rika_Furude posted...

not everyone gets a work mobile here + we dont allow BYOD

personal phone?

yeah we dont allow BYOD

what is BYOD about 2FA using someones phone? Are people not allowed to have their phones in the building period?
---

sauceje posted...

Rika_Furude posted...

sauceje posted...

Rika_Furude posted...

not everyone gets a work mobile here + we dont allow BYOD

personal phone?

yeah we dont allow BYOD

what is BYOD about 2FA using someones phone? Are people not allowed to have their phones in the building period?

Generally it's just they can't put them on the corp network
---

Password1
Password2
.
.
Password44
.
.
.
.
.
Password111

etc

who gives a shit about work computer passwords
---

pogo_rabid posted...

Generally it's just they can't put them on the corp network

Text messages aren't based on the corp network tho
---