|
|
| Author |
Message |
| 25 new of 226 responses total. |
steve
|
|
response 100 of 226:
| 
Apr 30 01:43 UTC 1995 |
Yes, it does, at least in some cases.
Most people aren't quite so peverse to change their pw's from
A to B and then B to A again. Most people, once confronted with
the fact that they need to change passwords, do in fact pick ones.
I speak as a consultant here, having to explain password
security to people. Most do change when forced. Most will never
change a password until and unless they are forced to.
Password security is much like backup policies. How many people
do we all know who never backup anything? We all know of people
who run into a situation where they've lost data, solely because
they didn't make backups. In this day of interconnected systems
we're seeing people who never change their passwords get badly
burned becuase of a lack of changing.
|
sidhe
|
|
response 101 of 226:
|
Apr 30 02:58 UTC 1995 |
I don't agree. I know for a fact that there are many who,
grown THAT attached to a single word, WON'T give it up.
It does no real good, no moreso than a good, stern, boilerplate
reminder notice sent to their mailbox.
|
steve
|
|
response 102 of 226:
|
Apr 30 03:37 UTC 1995 |
Well Christopher, speaking as someone who works in the information
industry, I know it does matter.
I also know of someone at a company in Toledo OH who was recently
fired from his job because he took the attitude that you are espousing
about passwords.
Join the information world, Christopher: realize that password
security is *vital*, and the old ideas of being able to keep lax
standards are gone.
Even better, make a copy of this item, which is turning into an
argument bewteen us. Put it in a book somewhere, such that you'll
forget about it. Then,some number of years from now you'll find
it and read it. I encourage anyone else who thinks I'm off base
to do the same.
Unforunately, you'll see that I'm right.
|
mdw
|
|
response 103 of 226:
|
Apr 30 09:57 UTC 1995 |
Well, sidhe - those people you mentioned, who have grown attached to
that ONE word - I trust you realize that those people *are* making a bad
decision? If it's the same thing on many systems, then their password
is less secure than the least secure system they use (for instance, if
they use 10 systems, and there is only a 2% chance of their password
being stolen, then that results in a 19% risk) If it's a word out of a
dictionary (and NOT necessarily english!) or something obviously related
to the person (and you'd be amazed how many people would like to use
their loginid as their password!) - then the risk goes up again..
Obviously, the best thing is to make users themselves aware of the risks
and security trade-offs. That's why newuser spends a whole screen-full
on password security, and specifically warns against using the same
password on more than one system, or sharing a password with *anyone*.
(That warning has been there since day one, and even so, we *still* have
people who get burned by friends!)
But user education won't reach somebody who doesn't read the text, or
decides to ignore it. You and I both know that, at some point in the
future, that person *IS* going to get hurt by their carelessness. A
friend is going to get malicious. A cracker will steal their password.
An ex-lover's boy friend will use it to steal files on CIS. Something
unpleasant, illegal, or we hope, merely moderately embarassing, will
happen. But, whatever it is, that person is going to feel violated,
used, and abused.
Obviously, we can't completely stop stupidity. But isn't this worth one
man-minute-year per user of effort? Do you have a different/better
method to reach these people?
|
lilmo
|
|
response 104 of 226:
|
Apr 30 19:53 UTC 1995 |
Re #100 & #101: sidhe, you know some ppl and a few are stubborn enuf to
retain their password even when forced to change it. steve has, as a
part of his job, spoken to MANYmany ppl about passwords, in a professional
capacity, remember, and, while he has encountered some ppl with that
attitude, he has also encountered many ppl who would NOT respond to a
harsh, gentle, boilerplate or begging e-mail msg to change their password,
but who WOULD change it if their old one was expired.
Which person has more convincingly presented his view of human reality
regarding this subject?
|
sidhe
|
|
response 105 of 226:
|
May 1 09:37 UTC 1995 |
Lilmo, the presentation does not concern me.
Alright- steve, mdw.. I understand where your problems lie. I still
do NOT agree with forced changes, but I find that there is simply too
much for either of you to worry about, for you to ever change your minds
as well. That being the case I drop the request. For now.
Steve- this has never been an argument between us. This is a dis-
cussion of policy, as open as the rest of the system.
|
davel
|
|
response 106 of 226:
|
May 1 10:21 UTC 1995 |
Strange. I find it bizarre that the prospect of wasting 1 minute per
year fills you with such horror that you'll endlessly complain about
it, no matter how much time you waste doing so. STeve & mdw generally
seem open to persuasion, OTOH.
|
gregc
|
|
response 107 of 226:
|
May 1 11:46 UTC 1995 |
It's not the 1 minute per year that scares sidhe, it's the idea of change.
The human animal has a strong tendency to become confortable with a known
thing, and then to violently fight any attempt to change that thing. Even
in cases where the new thing is obviously and demostratably better.
|
ajax
|
|
response 108 of 226:
|
May 1 12:26 UTC 1995 |
I can't speak for sidhe, but as a fellow opposee, it's not the "change"
part of "forced password changes" that I don't like, it's the "forced" part.
|
steve
|
|
response 109 of 226:
|
May 1 15:54 UTC 1995 |
Well, that part I can understand, not liking the forced part.
Unforunately, its the only to get most people to change their passwords.
|
rcurl
|
|
response 110 of 226:
|
May 1 20:14 UTC 1995 |
Everything about this system is forced. You are forced to enter respond
or pass or return; you are forced *to enter your password* to login; you
are forced to use a computer to connect - good grief, having to change
your password annually is 0.0000001 or less of the forced things users
already gladly do. So, I don't buy any objection to being "forced"
(especially, when it for your own good ;->).
|
ajax
|
|
response 111 of 226:
|
May 2 05:09 UTC 1995 |
Yay, I need Big Brother deciding what's best for me!
Please, forbid me to eat Big Macs too! :)
There are lots of "forced" things on Grex, but they're generally
questions (repond or pass - a *choice*, asking what *I* want to do),
or they're for the good of the system as a whole. Forced password
changes don't seem to me to fall into those categories; they're
primarily to "benefit" *me*, and I'm able to decide for myself
whether I want that benefit. I wouldn't mind if it asked "do you
want me to force an annual password change," or "it's been a year,
Grex's luminaries recommend changing your password; would you like
to?" I'm pro-choice when it comes to passwords, both when to change
them, and what to change them to. I don't mind having advice given
to me, but the decision should be up to me, not up to others.
As I've said before, I don't think it's worth the effort to change
anything, I'm just saying what I think is a more ideal system.
|
rcurl
|
|
response 112 of 226:
|
May 2 06:06 UTC 1995 |
I think required password changes benefit the system as much or
more than it benefits you. Staff must deal in some way with every
violation of an individual account - an additional burden upon a
group of volunteers. However, I have no problem with giving the
user a choice, such as you suggest. How about, the choice to change
your password at intervals of at least a) 360 days, b) 370 days?
|
sidhe
|
|
response 113 of 226:
|
May 2 07:21 UTC 1995 |
Ajax has the right of it. Change I don't mind. Forcing said
change I am VERY uncomfortable with.
If I truly minded change, I would not have changed my password after
the last break-in. That was necessary, BY MY CHOICE, to protect what it mine.
Is mine, even. The fact is, I would have no problem with an e-mail
reminder to change it once a year, or even more often. It's the
forced part that sits poorly in my stomach.
|
gregc
|
|
response 114 of 226:
|
May 2 09:08 UTC 1995 |
I've been working with computers and in the computer field for almost 20
years. One of the things that you learn is that people won't, on the whole,
change their passwords unless you make them. I wish it wasn't true, but
that's the reality of the situation. Unfortunately, if your job is to
insure the securoty of the system, you have to get people to change their
passwords. So you either become unpopular with the user populace, or you
become unpopular with your employers when a breakin occurs and you get
fired. Most people in this situation choose the former. :-)
|
adbarr
|
|
response 115 of 226:
|
May 2 11:19 UTC 1995 |
re: 113 - Requiring password changes has little to do with protecting
*you* from yourself. It has everything to do with protecting
everyone from the jerks that misuse the system or cause destruction.
You are "forced" to stop for red lights at highway intersections,
not to protect you, but to protect the rest of the public. Your
actions or inactions have consequences that can cause harm to others.
We enforce traffic rules and impose penalties because, unfortunately,
enough people exist with no social conscience to create chaos if
the rules were not enforced. No one is trying to tell you how
to run your life, what is being said is you do not have a "right"
to define rules for your behavior that will harm others. If
you want to enjoy the benefits of Grex you must be willing to
contribute by being a responsible user - just like driving
a car.
|
steve
|
|
response 116 of 226:
|
May 2 14:31 UTC 1995 |
Greg speaks the truth in #114. But there is an even more
important reason for chaning passwords, which isn't obvious. Each
password breakin and subsequent mail spamming, or whatever hurts
the organization as a whole. To be sure, the individual is affect
more, and much more directly, but the organization that maintains
the compromised account pays a price too.
This isn't of major concern for a company like Prodegy or AOL,
but is something to be concerned with here on Grex. We cannot
afford bad neighbor relations with others on the net. We're too
vulnerable.
|
scg
|
|
response 117 of 226:
|
May 3 04:00 UTC 1995 |
Another way to look at it is that the change is forced *only* once a year,
so anybody who is changing their passwords at all regularly will never
notice the forced change. sidhe -- you say you changed your password
after the last breakin. Due to that, it will now be a whole year before
Grex forces you to change your password. I'm assuming that if we have
another such break in, and it would seem likely that we might sometime in
the next year, you would take the same measures to protect yourself
afterward. Assuming you voluntarily change your password at least once a
year, you will never notice the forced password changes.
|
ajax
|
|
response 118 of 226:
|
May 3 05:31 UTC 1995 |
I agree, scg; that's why I object in principle, but don't think
it's worth really worrying about! :-)
|
sidhe
|
|
response 119 of 226:
|
May 4 21:10 UTC 1995 |
Again, I must echo ajax. It's the principle I object to.
|
rcurl
|
|
response 120 of 226:
|
May 4 21:46 UTC 1995 |
But there is no "principle". There is just a blind script somewhere
in the system that, after about a year, tells the user that their
current password is about to expire, as a procedure to enhance the
security of the system. There are many scripts built into the system
to enhance its security, and this is just another one of those.
|
popcorn
|
|
response 121 of 226:
|
May 5 15:28 UTC 1995 |
(Close... it's actually a built-in part of the login program,
not a separate script, which means it's much harder to make
changes to it than it would be if the password expiration system
were a simple script. But you've got the right idea.)
|
nephi
|
|
response 122 of 226:
|
May 6 09:45 UTC 1995 |
(Especially since Marcus seems to be guarding the newuser code with
his life. 8*)
|
davel
|
|
response 123 of 226:
|
May 6 11:13 UTC 1995 |
Eh? nephi, what's the connection? (and why do you say that?)
|
popcorn
|
|
response 124 of 226:
|
May 6 13:31 UTC 1995 |
Marcus does seem to be doing that. But the code we'd need to change
would be the code for login, not the code for newuser. Marcus also
has the code for login.
|