Trusting your colleagues
That sounds about right to me. I'd trust my colleagues with my work stuff, but never ever with anything personal.
A survey of UK consumers revealed many are far more careful with their social network login credentials than passwords that grant access to corporate systems. A third - 34 per cent - of 2,000 people quizzed admitted sharing their work passwords, but 80 per cent of the same group were unwilling to reveal their Facebook login …
password re-use is not a good thing (everyone agrees on that) but with the growing number of passwords that people have to remember its almost inevitable that it will happen.
I tend to reuse a couple of passwords on various sites around the net, but keep unique ones for sensitive things like bank logins, server logins, paypal, ebay (basically anywhere that could impact me in a serious way)
the places where my passwords get re-used are places that can have little or no impact (forum's etc) where the worst somebody could do is find out my email address, telephone number etc, as a company director that information (and a lot more) is already in the public domain so the only additional risk is that somebody could post as me on several different websites (including this one)
purely out of interest I just tested how long it would take me to find out full & detailed info about me armed with only my email address
the ownership details of my domain name can be found within 10 seconds
given the company name (from the domain ownership) reveals my full name, full address, partial date of birth (mm/yyyy) and details of a further 3 companies that I am involved with (including their financial state) within another 20 seconds
given the address getting my phone number takes a further 30 seconds.
the end result is that losing logins to sites where I re-use passwords reveals less about me than could be found within 1 minute of knowing my email address and having access to google.
I wonder how many others on here are in exactly the same position
in case anyone is wondering what my workflow was for the above it went like this (assuming email address of jess@abc.co.uk)
1. whois on domain name (from email address) revealed ownership of abc.co.uk by abc ltd
2. lookup of abc ltd at companycheck.co.uk revealed a director named Jess (with link to further info)
3. link from step 2 went to http://company-director-check.co.uk revealed everything but telephone number
4. no telephone number anywhere for abc ltd but one of the other companies revealed is listed at the same address as the Director called Jess and that company has a telephone number advertised.
...that you are so surprised. This is mostly info in the public domain, unless you explicitly choose to hide it. For example, all domain names are registered to someone or something, but personally I use a hosting company that hides registration details for free (some charge say $10 pa) and gives THEIR contact details rather than mine the whole world wide web. With company checks, you can't avoid that, all directors are listed publicly, that has always been the case. The main issues that I see with technology is that it is potentially giving EVERYONE instant access to details that were once only available if you physically went to get those records from a plublic office, or you wrote to them. Now any clown in the world can instantly get them...and we call that progress?
It must be so difficult, living in modern times. Apart from having to remember your address - or getting lost 'cos you've forgotten where you live. Or your registration number and wandering the neighbourhood attempting to get into every vehicle you come across (at least that's what I told the nice officer). Or what channel your favourite programmes were on. Or your spouse's name (not one you want to get wrong!) or any of the other gazillions of pieces of information you need to recall just to live your daily live.
Now add on top of all that, three or four (or even 10 or more) passwords. It must be pure hell.
In fact, recalling data that you use on a daily basis is no big deal - we do it thousands of times every day. So, provided you pay attention when you set the password and use it regularly, it's as easy as remembering to get dressed before you leave the house. The big problem only comes when one of the stooopid "security" systems insists you change a perfectly good password on a regular, or frequent basis. Now that IS dumb.
Are you forced to choose a new phone number every month, with service revoked if you forget it more than three times after a change? And have to remember the last 24 as you can't repeat them.
And the same with your address? And everything else you use?
Thought not...
I just checked. I have 51 login/password combinations recorded on a file that i keep "somewhere". Many of these are not used often enough for me to remember. A lot of them are passwords that were forced on me by the site and are next to impossible to remember. not the same as phone numbers at all. I'm retired, and a lot of us oldies use the web a lot, but our memories are not as good as they once were. So don't tell us to start remembering lots of passwords, 'cos it ain't going to happen.
Actually, while I never have trouble finding my house, I frequently need to stop to think when asked for my address. I don't find my house by it's address, I find it by other geography clues.
And yes, I have passwords for work written down because there are more than 10 I need to access various accounts and records. At home I have at least three passwords needed for stuff on my PCs. My bank accounts have different passwords and identifiers, including credit cards that's about another 8 accounts. Because they are unique, I don't change them as often as I should. Then I have three personal email accounts in some form or another of use, and probably 13 website forums with passwords. Some websites match each other but not emails, some emails match some websites. So that's 31 accounts I can think of, and I may be missing a few.
Granted if I used each of them every day it and they were all static, it wouldn't be a big deal. But throw in irregularly scheduled password changes with infrequent use and its a recipe for disaster. In fact, even with the passwords written down, one of those work accounts is a recipe for disaster. See, it's used by the account I use to connect to encrypted laptops, and at start up, it can't connect to the current network database, only the database last stored when it was connected to the network. If all the laptops were connected to the network on the day I change my password and synch soon after I change it, no problem (also something that NEVER happens). But if it's one of those that has gone out on travel or worse been stuck in a storage closet for an unknown period of time (some of them have been more than 18 months) not only do I have a long list to try (and at some point it starts a timer before next login, doubling with each failure) when I do finally get to the password that works, it might just make itself my current password, which fucks up all my other accounts and is a complete bitch to correct.
our network forces us to use semi- complex passwords (>8 chars, upper/lowercase mix, at least one letter/number/symbol used) and they force us to change them every 30 days... but remind us that it needs changing after 15 days. does my head in. no way i remember a different complex password every month, so i use the same one everyone, just add the month name to the end each time.
whereas Facebook, i don't have to change that password, so i took the effort to make a 14 character one that's completely random.
i think our password security at work is too much, it encourages us to take shortcuts.
Stupid IT Managers that insist on everyone having the same password across the group
All the routers/switches/firewalls have the same passwords and default logins
All Email accounts either mobile for desktop have the same passwords across the group
Talk about crap security!!
Anon - Typing this at work
Depends on what type of domain you were running, who was likely to gain some kind of admin access to a server, how sensitive your data was, how strong your passwords were forced to be and (later) how good the rainbow tables were for your software.
I've no doubt some more up to date systems are very difficult to break into but going back a decade or so password changes were pretty important.
Indeed. This is one of the worst policies going - it actually reduces security in most instances.
The purpose of changing your password frequently was two-fold.1) To force somebody who was trying all combinations to start again, and 2) to limit the time somebody has unauthorised access.
In the first instance this is no longer an issue - firstly we have account lockouts and so it would take years to try all combinations, secondly this is normally done offline now using rainbow tables/
the second point always made me laugh - limiting somebody's unauthorised access to 30/60 days - they could be in, copy all data, and be out again in minutes.
A stronger password (that doesn't need changing) is much better than a simple one which does - and the arguments I have had with 'auditors' who don't undertand risk management about having accounts with passwords that don't expire....don't get me started.
The analogy I use. Two houses next to each other. One with a simple lock on the door (that you change every 2 months) and one with a strong lock on the door. Which house would you put your cherrished possessions in? How does changing the lock make the first house more secure (if somebody can pick the simple lock then it doesn't matter if you keep on changing it - it's still a simple lock). Does 'restricting a burglar to only 60 days access before they have to pick the lock again' really make you feel safer?
Rant over.
If someone grabs your passwords from your DC and runs a password crack against them then changing the passwords regularly gives them less time to do this. That's the reason for enforced password changes and it makes sense, to a point at least. Also, if your password is very strong but never changes then anyone running an attack has a lot longer to find your password and, once they find it, can access at a more convenient time when it's less likely to be detected.
I share the dislike of enforced changes and I'm sure the periods are too short most of the time but passwords expire for a reason which remains valid as long as your password database is stealable.
Is simple human nature. Your FB password/twitter account/whatever gets hacked, then you pay the price. If your work network gets hacked in part because someone got hold of your PW, then it is your employer's problem.
That being said, password proliferation is a huge headache. I have 2, maybe 3 social websites I participate in, but add in online bank/investment/insurance accounts, career/profession-related sites, online services/retailers I do business with, news websites (Curse you, El Reg!!) personal email accounts and then work-related passwords, and I must have at least 50-75 user logins out there in Tech-land. Probably more than that if I really bother to count them all.
Fortunately, my brain has not yet exploded.
From switching on to editing my first document of the day - 5 passwords including
two randomly generated and one that has to change every month and two others that are different for each project.
Number of different passwords to use all the different software applications on top of the 5 above- 7 passwords
Also, if you get any one of them wrong more than three times, your account freezes and you have to get the IT guy to physically visit your desk to ensure you are who you say you are before they will unlock.
Do I write them down? Of course I do. Don't be silly.
<cracked record mode>
Jeebus, folks! —Just use a password manager, fer feck's sake. There are plenty available, for all platforms. They sync their databases across all your comps [& smartphones]. They'll generate any length unguessable passwords [strings of 'random' numbers and letters and/or symbols] for you when you need to register for a website. They will automatically fill in that password for you, when you revisit. All you need to remember is one single password for unlocking the password manager app.
I use 1password myself [on macs and iPhone] and, at last count had over 200 logins stored in its database. All different, so none of the dangers inherent in using a password across more than one site. All pretty unguessable; I tend to opt for "13 characters. Mixed letters & numbers. Mixed upper & lower case" when letting 1password generate them. Logging into any site involves hitting "CMD+\", entering the master password in a popup window and then hitting enter. Probably takes less than 5 seconds and I haven't had to bother remembering a password in years.
It is, as the sceptics would say, a "no-brainer"
</cracked record mode>
Use a reputable password manager, and carry it on your phone. Make your master password long and difficult, but since you only need to remember the Master once, and change it annually, the should be no prob. The only caveat is not to keep passwords on there that on their own give the ability to evacuate your bank or similar account, but if you have a multi factor authentication process and keep one of the passwords / phrases in your head (not obvious like your birth date), and have a dongle, then you'll be OK