Is Mandatory Frequent Password Changing at Universities Effective or Overkill?

[Pengwuino]

Good God. Apparently California State University - Fresnos' (and yes I'm intentionally naming names) IT department is full of CRAP. Maybe this is just because I became "faculty" but ever since last semester they have required we change our passwords to log into their systems (for emails, class stuff, online course work, everything) every 3 months. That's fine but the thing that pisses me off is that they demand you use a new password everytime that's checked against your last 12 passwords. In other words I can't use the same password for the next 4 years. 4 YEARS! Seriously, I use the same/similar passwords for most my accounts and I've never ever had an account compromised. Ever. Anywhere.

Sometime I think the IT department is actually teh special ed department in disguise.

 

[Ivan Seeking]

Good God. Apparently California State University - Fresnos' (and yes I'm intentionally naming names) IT department is full of CRAP. Maybe this is just because I became "faculty" but ever since last semester they have required we change our passwords to log into their systems (for emails, class stuff, online course work, everything) every 3 months. That's fine but the thing that pisses me off is that they demand you use a new password everytime that's checked against your last 12 passwords. In other words I can't use the same password for the next 4 years. 4 YEARS! Seriously, I use the same/similar passwords for most my accounts and I've never ever had an account compromised. Ever. Anywhere.

Just keep adding the same character, like an "S", to your existing password.

I suggest starting with CSFITSUCKS

 

[zoobyshoe]

Seriously, I use the same/similar passwords for most my accounts and I've never ever had an account compromised. Ever. Anywhere.

I need a password like that. What is it?

 

[Pengwuino]

I need a password like that. What is it?

Oh it depends, if its anything financially related its ... wait a minute. you sneaky little...

Just keep adding the same character, like an "S", to your existing password.

I suggest starting with CSFITSUCKS

Now you're thinking! Or I can use my normal password and slowely add letters. First one is will be I, then T, then C-A-N-S-U-C-K-I-T. That'll last me probably long enough until I am out of grad school and have lost my actual need to have an email for the university.

 

[Proton Soup]

concatenate favoritepassword and mmyy datecode :shy:

 

[Oerg]

just add a number to the end of your password and do an increment of one to the password everytime they ask you to change it if you are not so psyched about security.

 

[Pengwuino]

Yah I probably should. PenguinLover1 it is.

 

[Ben Niehoff]

What's funny is that, while you may not use a password identical to any previous ones, you are allowed to change just one letter...it doesn't really add more security that way, since if someone knows "PenguinLover1", it's not too hard for them to guess "PenguinLover2".

However, it's actually impossible to design a system that can check for something more general than merely exactly matching previous passwords. The reason is that the password must be stored by using an irreversible (in principle) hash map...and that hash map must be such that it maps close strings to distant strings (where distance is some metric of how much the strings match). Therefore the best the system can do is take password2, hash it, and see if it matches the stored hash for password1.

 

[Newai]

Hmm. I'd bet that there are a few people who might follow a somewhat predictable pattern when forced to change passes so frequently. I'd question the safety of such a requirement; they'd better have that password database very secure.

 

[Evo]

We have the same password rules at work, so we all keep a list of all of our passwords on a sheet management gave us so we can keep track of them and keep it next to our computer. Most of us also keep a list electronically in our computers in a folder cleverly disguised with the name "passwords".

 

[drizzle]

Yah I probably should. PenguinLover1 it is.

You are in love! Wuahahaaahaa aaahaaa
So, who is it? A fish

 

[D H]

Similar password rules exist where I work. Their password checker is even more stringent. If one's password is PenguinLover1 one month, changing it to PenguinLover2 the next won't work. Moreover, if one has multiple accounts (e.g., an account for receiving Microstuff mail, another account for lab A, another account for lab B, etc.), the passwords have to be different in each system, have to be changed on an annoyingly regular basis, and can't have any words in them. Passwords have to be random forgettable nonsense.

Oh yes, they can't be written down or stored anywhere. IT people can be incredibly dense. Their rules cannot be followed. As a result, people go out of their way to keep their passwords the same on different systems, or write them down, or put them in a file conveniently called passwords, or mail the passwords to themselves, unencrypted of course.

IT people do realize that people do forget their passwords. For example, I can call the helpless desk over the phone and ask for a password reset. This happens so often that the helpless desk will will reset my password without asking for my address, my mother's maiden name, or any other silly nonsense that proves that I am who I claim to be.

 

[Mentallic]

I usually just follow a string of digits for the decimal expansion of say, \pi or \sqrt{2}. I can cope with quite a few password changes since I know quite a few random irrational numbers to enough decimal places.

I just hate when they require at least 1 number in a password. Everyone knows the average user is just going to add a one at the end of their original all-word pass.

 

[rhody]

That's fine but the thing that pisses me off is that they demand you use a new password everytime that's checked against your last 12 passwords. In other words I can't use the same password for the next 4 years. 4 YEARS! Seriously, I use the same/similar passwords for most my accounts and I've never ever had an account compromised. Ever. Anywhere.

Sometime I think the IT department is actually the special ed department in disguise.

Pengwuino;

If you have friends in the IT Dept they can reset your pwd to what you prefer for you.
Don't ask how I know this... hehehe

If you use Firefox, under Tools, Options, Security, it let's you create a master pwd, then enter the URL's, ID's and pwds as needed.

For more security, just google, password lockers, and there are a number of free ones out there too... fairly secure, encrypted, the only caveat is you must remember the location and master password. Not too hard to do.

Good luck in whatever method you choose...

If it were me, and I had 5 to 15 of them to remember, I would use a password locker...

Rhody...

 

[rootX]

I hate IT departments in general. You would jump off a bridge and die than dealing with a IT department.

 

[Borek]

There was a time when even OUR IT dept. required frequent password changes. My PF password ends with 7.

 

[mgb_phys]

It's one of the first laws of computer (or pretty much anything) security.
All attempts to make it more secure by insisting on passwords too long to remember or monthly password changes make the system less secure.

Physical security is the same, you replace an intelligent receptionist who knows everyone in the dept, with a mall-cop security guard who let's somebody load all the computers into a van because they had clipboards and uniforms (happened at my college - the machines never even got unpacked)

 

[Borek]

It's one of the first laws of computer (or pretty much anything) security.
All attempts to make it more secure by insisting on passwords too long to remember or monthly password changes make the system less secure.

Problem is, this law is known only to users. For some reason IT security specialists are trained to ignore it.

 

[BobG]

However, it's actually impossible to design a system that can check for something more general than merely exactly matching previous passwords. The reason is that the password must be stored by using an irreversible (in principle) hash map...and that hash map must be such that it maps close strings to distant strings (where distance is some metric of how much the strings match). Therefore the best the system can do is take password2, hash it, and see if it matches the stored hash for password1.

The passwords on the computer system I use are pretty sophisticated.

1. The password has to be at least 37 characters long and the number of characters has to be a prime number.
2. Your password can't be the same, or similar, to your last 17 passwords (and again, I think there's some significance to the number of past passwords being a prime number). Up to 5 characters of any of your last 11 passwords can be used in your new password, but they can't be used in the same or a similar pattern.
3. You can't have any part of your password replicate any pattern used earlier in your password. (in other words, I can't create an easy 7 letter password and type it 6 times).
4. You have to use a minimum of 3 special characters and no special character can be used more than 3 times in the same password.
5. You have to use a minimum of 3 numbers and no number can be used more than 3 times in the same password.
6. You have to use a minimum of 3 upper case letters and no upper case letter can be used more than 2 times in the same password.
7. You have to use a minimum of 3 lower case letters and no lower case letter can be used more than 4 times in the same password.
8. The characters in your password cannot match the first letters of any phrase used in the Bible.
9. The characters in your password cannot match the first letters of any phrase used in the Quran.
10. The characters in your password cannot match the first letters of any phrase used in any of the books in the Congressional Library.
11. The characters in your password cannot match the first letters of the 19 most commonly used English vulgar phrases.
12. No two users can have the same password, nor can the system reveal to any user that their password matches the password of any other user.
13. No two characters of your password can be adjacent to each other.
14. The characters in your password cannot match the pattern of any legal poker hand.
15. The physical pattern formed by any two characters can't match any legal moves in the game of chess, checkers, chinese checkers, Go, Sorry!, or Twister.
16. Your password must be changed at least 4 times a month, but the number of days between each password change cannot the match the number of days between any other password changes over the last 3 months, excepting leap years, when the number of days between each password change must not match the number of days between the last 11 password changes.
15. You may not write down your password. Your keyboard must be hidden from view when changing your password or, in the event it's impossible to hide your keyboard, the lights must be turned off while changing your password.
16. Music or other white noise must be present while changing your password to prevent anyone from determining which keys you're pressing by listening to the sound of your keyboad.
17. When logging on, you have 3 attempts to type your password in correctly. Typing in your password incorrectly 3 times will result in the entire system shutting down in a security lock down. You will need to read the installation computer security regulations in their entirety and pass a 100 question multiple question on-line test before being issued a new password. Logging in incorrectly 3 times and bringing the system to a halt twice in a 721 day period will result in termination of employment, along with expungement of all past and present passwords from your memory.

Most of the time, we sit around the workcenter drinking coffee and BSing about American Idol, just praying no one walks in and asks us to do any work, since that would require logging to the system and none of us can remember our password. Fortunately for us, anyone that might possibly ask us to do some work have to use the same computer system as us and they can't log in either.

Our computer tech folks earned the International Computer Security Association's McAfee Award for having the best morale of any IT section in the Northern Hemisphere (they were runner-up to an IT section in New Zealand for the world championship in morale). They also earned a Demeter Workcenter Efficiency Award for an online, computer help system that reduced complaints to zero.

 

[leroyjenkens]

We have the same password rules at work, so we all keep a list of all of our passwords on a sheet management gave us so we can keep track of them and keep it next to our computer. Most of us also keep a list electronically in our computers in a folder cleverly disguised with the name "passwords".

So instead of just having the same single password in your memory and not written down anywhere, you're forced to have your passwords written down in several different places. That sounds a lot more secure to me.

 

[drizzle]

... Have you worked with the FBI BobG?

 

[MotoH]

BobG works at a starbucks

 

[dlgoff]

The passwords on the computer system I use are pretty sophisticated.

If that's not bad enough, the government computers I work with have a different pass word for every database plus your normal log-on pass word. And yes. They have to be changed every 90 days.

 

[Evo]

We have logins and passwords just to get to a second set of logins and passwords for some our systems, and that's after you use a login and password to get into your computer, then that system shuts you out every 15 minutes incase anyone managed to get into your session, and you have to re-enter both sets again. And that's the system I use most often.

 

[turbo]

I wonder why we're not using biometrics. Everybody uses a small scanner attached to each PC in the department, and when you need to log on, you press a finger or thumb on the scanner to have your print compared to the print you provided IT when you were hired. If IT wants to limit log-ins to 15-20 minutes or so, it would be a simple matter to have your print scanned again, to prove it's really you at the computer. Making passwords too long or complicated so that they can't be remembered is ridiculous. People being people, they will subvert that system by writing down the passwords somewhere they can get at them easily - and where any reasonably intelligent person could find them pretty quickly.

 

[mgb_phys]

I wonder why we're not using biometrics.

They mostly don't work.
The fingerprint scanners (eg in Thinkpads) either don't recognise you or they work for anyone, they also don't restrict admin logins.
We used secure-id key fobs that generate a random number for remote users on laptops, they work as long as the user doesn't lose the keyfob.

The main problem with computer security is bosses. They are the ones that use free wifi in airports/cafes to log onto sensitive systems, they lend their laptops to their teenage kids to download music - and the amount of porn/malware/downloaders you find on their machines is stunning.
And unfortunately, unlike the military, you can't refuse. In the army a guard gets commended for refusing to let in a general without the right pass - in business if the CEO wants you to remove the passwd on the mail server so they 'fix it' you have to do it.

 

[BobG]

We have the same password rules at work, so we all keep a list of all of our passwords on a sheet management gave us so we can keep track of them and keep it next to our computer. Most of us also keep a list electronically in our computers in a folder cleverly disguised with the name "passwords".

Once in a while, the military used to send around a team that tried to gain physical entry to a military base and into their computer systems, etc, just to see how effective their security procedures were.

They were really good at what they did and usually succeeded, so the results were usually more educational than punitive. Still, there were always a few things that were just downright embarrassing. People in the computer security office having a list of their personal passwords on a file on the network would rank pretty near the top of the list of embarrassing items, since you'd really expect those folks to know better.

The after action report was always fascinating because most people did things about 98% right in all the instances that allowed the team to crack the system. It's always that lack of seeing the big picture, why a particular procedure is in place, and what it means that seems to trip people up.

It reminds me of trying to use my credit card. When the clerk went to compare my signature on the receipt to my signature on the card, she realized I'd never signed my card. She made me sign the card right there at the counter. Then she dutifully compared the signatures on the receipt and the card, and, as might be expected, they matched perfectly.

 

[turbo]

They mostly don't work.
The fingerprint scanners (eg in Thinkpads) either don't recognise you or they work for anyone, they also don't restrict admin logins.

I see a fortune awaiting anyone who can come up with a reliable USB print-scanner and software. The software should ideally let the IT folks set permissions for every user and change them when necessary. If you don't want a user to have the ability to modify files that they didn't create, that should be do-able, too.

 

[MotoH]

I like the idea of a small RFID device implanted in the hand, which will allow you to log onto the companies computers. Each one has its own profile, and the IT people can set it up as to what your access is.

 

[Jimmy Snyder]

All attempts to make it more secure by insisting on passwords too long to remember or monthly password changes make the system less secure.

For the OP. Why don't you just change your password 12 times in 12 minutes and end up back where you started?

At work, we have several passwords for various uses and we have to keep changing all of them. They have rules about how many digits, letters, and punctuation, and overall length. I've run out of childrens' birthdays and such. There is simply no way for me to remember this stuff. I can't even remember my childrens' birthdays. So I write it down. Which is why the system is less secure.