rone | you fuckin' killjoys

Current Music: Pink Floyd - Nobody Home

Entry tags:

computers suck

you fuckin' killjoys

I wanted to ask how often you change your secure passwords, but i'd probably get another bucketload of "LOL NOT TELLIN LOL" answers, so forget it.

Flat | Top-Level Comments Only

heheh

LOL almost never LOL

ME TOO!!!1I

About every 4 to 6 months.
It's a bitch to remember, but I'd rather spend my time having them send me the "Secret Questions" that I always lie to.

You know, so nobody can find my mother online and find her maiden name.
Fuck that shit, her maiden name is aways something like "Tittyshaker" as far as passwords questions are concerned.

I'd imagine that you'd have an especially bad time with changing passwords.

Heh. Tittyshaker. That'd be a pretty fun one to say over the phone in the office.

Whenever I come across a word or phrase that fits. Sometimes more than others.

Not nearly often enough, according to the usual rules.

Not often enough!
(probably about once a year)

Oh, and for what it's worth I thought it was a very interesting poll, and I'm interested to see the results too!

Thanks for asking it, rone!

I change mine when I have had any kind of security breach, or when forced to do so.

I change mine when he changes his.

ditto.

Not particularly often, apart from the really important ones. Those that let me into clients' systems get changed more often than those that let me into mine, for instance -- one changes every minute, actually.

I'd be willing to answer these questions more seriously and in more detail if you allowed anonymous comments for them.

Well, you can't answer polls anonymously, but i allow anonymous comments just fine (although i do IP-tracking).

I wasn't seeing the anonymous option last night. Might have been a LJ system problem or I was suffering a short-term optical aberrance.

Whenever they make me. Anything else would be uncivilized.

for the less secure one, because some systems require privileged users to. Every 90 days for the more secure one, because Italian privacy law requires me to. More annoying than having to follow a foreign country's laws because their citizens might have sensitive information on our systems is that they had to choose 90 and 180 days for some reason, rather than 92 and 184 days so that people could change their passwords on the same day of the month every time.

Outside work, never, until I develop enough trust to use online banking. The worst somebody could do at this point is steal my credit card number. I do have online credit card payment, so they could pay it off from my checking account, but not without alerting me.

When I accidentally type them into IRC.

I had the good fortune that my password question could be answered without revealing any [perceived] hints at the password.

For some, every 60-ish days because I am forced to.
For others, varies between every 6 months and never. This is dumb, I know, but it depends on how much I like my password and how sensitive I believe the protected information to be. (Some passwords aren't protecting much besides a whole lot of spam emails sent to a junk collector email account.)

60-ish days is too soon. Stupid fascist password policies.

Roughly, "every time I need to use a computer in a public place to access my accounts while traveling".

I try to avoid using computers in public places.

My main Apple corporate identity is bc@apple.com, so you can imagine how often I am told that my attempts to reset my password have failed. Someday, some wizenuts with too much time is going to tell me I can't have that corporate identity. I couldn't get it today, after all. OK yeh whatever.

In the mean time, I flat out ignore those warnings until my password stops working, then set it to a new one, based on the exact same heuristic I always use.

The passwords I have are pretty simple: thing + serial number. When the system tells me to change the password, I increment the serial number. "Thing" is some memorable string that is long enough and not in violation of the policies. When they told me I couldn't have a password containing the string "password," I changed it to "wordpass#" for a while, but never got cranky enough to tell the wizenuts that.

The reason people are reluctant to tell this info is because we are all convinced that now said wizenuts is going to outlaw whatever heuristics we've evolved to make up passwords in a memorable way. (Darth Vader voice: "That WAS a good heuristic (exhale-inhale). Now you shall DIE.") These people live for the opportunity to make us memorize crap, never mind that the next time I am told my password HAS to me one selected from a list of "easy to pronounce, highly memorable suggestions," I am going to make sure to have it set in 288 pt Grog Extra Grotesq and posted on the ceiling of my office.

(Mac OS X has a built-in suggester that actually is pretty damn good. I just got: "cull61\navel", a password that I would never use, but which suggests an algorithm I would use. I am sure

ikkyu2 would go for "get1)embolus", as well. I recall the first "memorable" password generator that DEC had. It made a list of several random "syllables," and then spent 99% of its code making sure it didn't suggest anything that might possibly be construed as offensive in any known language. Make of that what you will. You had to pick a suggestion from the list of 20, but could regenerate the list. "pancrohevom" my ass.)

As someone else said, the most important password I have comes from a security token. Luckily, I don't have to carry it on my keychain, but if I did, it would be way better than having these shenanigans. Of course, it COSTS MONEY, so I guess that corporate security isn't THAT important.

Incidentally, I remember the first time my Dad came home from a computer facility that actually HAD passwords instead of just a counter with a flunkie you handed your deck of punchcards. The ONLY password he had was my sister's first name. Now it's the dog's name, mixed with memorable numbers.

I change mine every time an angry IT guy I barely know randomly reminds me that I haven't changed them in years.

Do I get thwapped for saying "If they're secure, why would I change them?"?

No, as long as you're not expecting that to be a rhetorical question.

Either when I am forced to or when I've been logging in from a computer I don't feel is sufficiently secure.

Now here's a possibly stupid question... how is changing a secure password on a regular basis more secure?

Not stupid at all. The key there is the period. Changing a secure password every month is just plain stupid. Even every three months seems excessive. I'd say 1-2 times a year is perfectly sane. I used to do it on a yearly basis, but it's been a long time.

as of last summer requires any system containing sensitive personal information to require users to change their passwords every 90 days--and any other system every 180 days.

Because we don't prevent employees in Italy from gaining access to our systems around the world--and because more and more of our support is being done on a worldwide basis--corporate direction came down to adopt these periods on all our systems. What they'll do when other countries start passing contradictory laws, I don't even want to find out.

I blame Berlusconi. And Bernie Ecclestone, too, just because.

Even with secure passwords, you're never 100% sure that they're completely secure and haven't leaked. Changing the passwords periodically means that not only do attackers have to compromise the passwords, they have to compromise them and use them faster than you change them.

Unfortunately, there are a number of ways that secure passwords can leak. For example, perhaps someone has cloned the backup tapes with the password store and is even now using a network of 10,000 compromised zombie PClones in a brute force attack. Or a cracker got a keylogger onto a PClone for a week without getting detected, and is now trying to figure out how to get into your internal network to use them.

(In a sane world people who care a lot about the risks, enough to make you change passwords frequently, would be using two-factor authentication to start with.)

As little as I can get away with.

Mostly I don't change passwords, because changing passwords around here is a royal pain (plus it's a pain coming up with a good new password). I change passwords when they've been compromised, and when there's a strong likelyhood that they have been, but that's pretty rare. I'm careful about what systems I use to log in from and arrogant enough to believe that I'd know relatively soon if they get compromised.

(Without meaning to slam Windows particularly, part of the reason that I feel I can get away with this is that I don't use Windows desktops. I'm not sure what I'd do if I had to use one; maybe switch to using S/Key or some other sort of one-time passwords, and get a PDA or the like to run the actual S/Key stuff on.)

I'm bad. Never. This is only a problem for me. Work? Passwords are assigned. And I use separate passwords for social and financial stuff. Just started doing that this year.

Flat | Top-Level Comments Only