Bah!
But isn't not divulging one's password "security by obscurity"?
Many (45 per cent) of workers say they could access a former employer’s systems through old, unchanged passwords, according to a survey by password management outfit Dashlane. Around a third (30 per cert) of workers said that their employer never changes passwords, or only do so when there is an issue, and this goes some way …
This post has been deleted by its author
I did something similar at one place before they consolidated everything with a single-sign on system. But I didn't write the password down - I wrote the suffix. There's not a lot of risk in someone knowing that your email password ends in '7'. The only system that foiled me was the in-house training system. For some bizarre reason it had the most strict password rules of all the systems and it was the only one that detected my changing suffix and objected to it.
This is probably something to do with the older IT managers setting up password schemes that need changing once a day, with no reuse policy over a 6 month period, and the password needs to be at least 20 letters long and contain a mixture of uppper and lower case characters, symbols, numbers, and 3 key combinations. When questioned these IT managers state it's company policy to improve security, and that some Microsoft dude mentioned it was a good idea 20 years ago.
You forgot the timekeeping system, which only accepts passwords with a maximum 8 character length and won't allow symbols, and the payslip system for which passwords are automatically assigned. Oh, and the intranet, which has passwords between 9 and 14 characters, with symbols but not capital letters.
My solution is a page in the front of my notebook, with all 6 passwords I regularly need written down. One better than a post-it, ten worse than a sensible, integrated password policy.
My college-age son is continually flabbergasted at what he considers to be my "insanely complex" personal passwords policy*. The really scary part is that he is a CompSci major. Youf deez days...
* what's so insanely complex about four random words strung together and using a different pattern for financial vs. non-financial situations?
I'm a 20 something and yeah, I'm guilty of passwords on post-its, passwords in unencrypted text files.
Fact is I have about 40 business logins for various systems. I also work in an access controlled office. Anything critical like the crown jewels or stuff that actually matters, sure, I'll keep in my head, or write down in obfuscated form.
But the HR system to book my holidays? pah. The learning system to do the "how to sit at your desk" courses? nope. Even my performance review tool - you can enter loads of comments about how you think I've done - you're welcome to do it - my manager never reads it anyway. My SAP user account - again, feel free to book my hours for me. My Hire-car account. My company conferences account. My student loan balance login. The department milk fund excel sheet. - none of these hold anything even remotely interesting or useful which can be stolen, no credit cards, no addresses, just mind-numbingly boring information about me.
The employee data system with my bank details and health records - that ain't written down. Neither is the one that grants access to the company IP as that requires the 2FA RSA key. The problem is in business, that every single time you need to view information, the default is to require a password, when a username alone would do. We're rolling out enterprise single sign on, but the completion date is October 2375. Until then, I'm going to keep them all in an easily accessible, easily hacked form because I don't flatter myself that people would actually care.
Doesn't it then strike you odd that this Dashlane referencing article is a bit Dashlane heavy, mentioning numbers about non-Dashlane-users... Because, they are in the business to sell you a tool to remember passwords? Now, fancy that!
And while I dislike Millenials (aka young whippersnappers), it's an easy target for exactly that negative "feel". "Oh they know everything, don't they?"
What, did the "old people can't handle passwords" argument poll so badly with the DASHLANE focus groups?
Thank you, El Reg, for a thinly disguised advertising fluff piece.
re: P4m$lp23
Although I can't speak for their security(*), there are plenty of random password generators out there that produce (somewhat) phonetic passwords like 'rotranott', 'eblinecs' or whatever. A lot easier to remember and type than those with lots of meaningless punctuation, caps, etc. Might be worth a shot in lots of cases.
* They're obviously less secure, but the question is whether they're so predictable or have such a small key space as to make a dictionary attack with them feasible. Assuming you know (or can guess) what generator is being used, of course. Obviously, using any online generators is as bad as not having passwords at all.
So it's not normal to use "password" as the password for everything?
Our facility uses strips of tape in obscure places on machines (industrial manufacturing equipment) for user passwords. Passwords for elevated permissions are always simple and usually copied into notebooks left near the machines (notebooks hold the info to run the machine)...
OTOH, everything is truly air-gapped. No wireless capability, no network lines run into the machines, and the USB ports are all used for things like keyboards.
As others have pointed out, the problem is there are too many bloody different logins we all have to work with these days. There are several where I work, and they have - of course - different rules for "complexity," so you couldn't possibly use one password for everything, even if that were a good idea. So I opt for the password database (keepass) and have a "ridiculously complex" master password for that. It's better than what my last supervisor did - kept her passwords written on a post-it on the bottom of her keyboard.
"As others have pointed out, the problem is there are too many bloody different logins we all have to work with these days."
It's really not. We have single sign-on, no-one aside from IT staff have to remember more than 2-3 passwords ever, and yet half the monitors in the building have the post-it-password bordering, and half of the remaining staff share their passwords round at the drop of a hat. The problem is a total cultural disconnect between security professionals (who are if anything over-steeped in paranoia) and the rest of the staff (who couldn't care less about security).
In the majority of cases if a naughty person has physical access to your PC and any Post-It notes attached, then the password is the least of your worries.
Password security on-line is critical, strong passwords are important, having your password written on the back on an envelope in your desk drawer is not really that much of a security risk unless you work somewhere with open public access.
"Having grown up with the sharing culture of social media, this age group has become slightly casual when it comes to their security and this has the potential to have an impact in the business world"
This has nothing to do with sharing culture. There's not a thing in this article that hasn't gone on since the dawn of the login. This is all about experience and giving a crap. The former accounts for most of the higher percentages for the younger age group (who happen to be millennials) and the latter explains why more passwords and complexity rules are just making the problem worse.
As I'm retired I no longer have to remember logins for work. However I do keep a little notebook for all the unique passwords I use on the internet at home. Current count is approximately 65 - and the notebook is full.
Each old password will be transferred to the new notebook when it gets used - if it is still valid at that point. Eventually the new notebook will contain the useful passwords.
If someone breaks and finds the notebook - then that is the least of my worries.
Hear! Hear! I'm with you on this. Both my wife and I do the notebook thing. I still use post-its for some things (at home). Being semi-retired, I do have a small notebook with my work passwords that is kept in my pocket at all times on the premises except to actually use it. I could use the post-it method as my office has a lock, but IT from the main office use mine when they come into town.. so... best not to leave anything remotely private there.
I really liked this: "... that detected my changing suffix..." meaning somewhere those passwords are kept as plain text somewhere. If the company runs stuff that doesn't care to protect passwords properly, why should anyone else? Has anyone ever pointed it out to management? Would they be accused of hacking if they pointed it out?
Write passwords down - keep the paper in your pocket. At one place I worked, I was told I could print them on a card and have it plasticized for durability.
Systems that require password changes - utter waste of time. Zero benefit and encourages postits on screens or under keyboards.
As someone else said, we've been ankle deep in the antics in the article since the dawn of the vt100 or earlier.
> "... that detected my changing suffix..." meaning somewhere those passwords are kept as plain text
It's perfectly possible that's been implemented in a secure way too -- though my faith in "enterprise software" developers is not such that I'd consider it more likely than the insecure method.
To check for incrementing-number password changes in a secure manner, all the software needs to do at the back-end is strip the last character of the new password (which of course it will already temporarily know in plain-text as it's submitted), then brute-force the original hash with the other nine digits, or even the whole ASCII address space which would probably take less than 100ms for one character, depending on the hash used.
Then, if it passes the test, the software can hash the new password and scrub the plain text.
The article talks about people who can still access former workplace accounts and then implies that this is the fault of the former employees poor password hygience. Uh? Surely the previous employer should have revoked the youngster's credentials on their last day. I'd be pretty surprised if the average "former employee" ever had the admin rights necessary to do this for themselves, let alone still had them after leaving.