Comments on: Why don’t companies get the message about password changing? http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing Everything I used to bore people on newsgroups and mailing lists with, now in one inconvenient place. Mon, 01 Dec 2008 23:39:54 +0000 http://wordpress.org/?v=2.6.5 By: Pacquetsniffer http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing#comment-89599 Pacquetsniffer Fri, 09 May 2008 16:25:44 +0000 http://blog.xcski.com/?p=1338#comment-89599 Yea for the password manager. Try "Keepass" from portableapps.com, on a flash drive. Have an extra one at home for backup in case you misplace the one in your pocket or on your keyring. Then write the master pw on a sticky and paste on the monitor!!!! Yea for the password manager. Try “Keepass” from portableapps.com, on a flash drive. Have an extra one at home for backup in case you misplace the one in your pocket or on your keyring. Then write the master pw on a sticky and paste on the monitor!!!!

]]> By: Becca http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing#comment-89068 Becca Mon, 05 May 2008 23:52:21 +0000 http://blog.xcski.com/?p=1338#comment-89068 <i>By the way, why is this tagged with kayaking></i> It's a secret code, to help him remember a password. By the way, why is this tagged with kayaking>

It’s a secret code, to help him remember a password.

]]> By: Paul Tomblin http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing#comment-89060 Paul Tomblin Mon, 05 May 2008 21:44:16 +0000 http://blog.xcski.com/?p=1338#comment-89060 Because I missed. Because I missed.

]]> By: Vicki http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing#comment-89058 Vicki Mon, 05 May 2008 21:39:24 +0000 http://blog.xcski.com/?p=1338#comment-89058 By the way, why is this tagged with <i>kayaking</i>? By the way, why is this tagged with kayaking?

]]> By: Jen http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing#comment-89056 Jen Mon, 05 May 2008 20:19:15 +0000 http://blog.xcski.com/?p=1338#comment-89056 I'm with Bill Schneier. Interestingly, the only reason we have mandated yearly password changes at work is because the federal government requires it as part of data security for grants. I’m with Bill Schneier. Interestingly, the only reason we have mandated yearly password changes at work is because the federal government requires it as part of data security for grants.

]]> By: JRH http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing#comment-89053 JRH Mon, 05 May 2008 19:31:30 +0000 http://blog.xcski.com/?p=1338#comment-89053 Bruce Shneier says write your passwords down on little pieces of paper. The problem of keeping valuable little pieces of paper safe and available has long been solved: it's called a "wallet". But then, I don't do that. Bruce Shneier says write your passwords down on little pieces of paper. The problem of keeping valuable little pieces of paper safe and available has long been solved: it’s called a “wallet”.

But then, I don’t do that.

]]> By: Beable http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing#comment-89048 Beable Mon, 05 May 2008 18:47:04 +0000 http://blog.xcski.com/?p=1338#comment-89048 I write down the truly awful ones (our pay info system asked for a password with complex rules and then a "security reminder in case of lost password" - following the same damn complex rules as the password! I wrote both down. For most things which have frequency/re-use issue but not horrid complexity masks I usually pick a song and cycle through the lyrics. For systems I administer (e.g. root/other priv passwords) there is usually some in joke on my team I can cannibalize. I'm not convinced that writing down passwords is bad if it is done rationally. They sticky note on the monitor with helpful labels is really bad. The notepad in the locked file cabinet or the index card in the wallet with only a vague or cryptic note on which password is for which service? Not so much. One of my coworkers uses a password manager on his desktop, and just has to remember the password to that. I write down the truly awful ones (our pay info system asked for a password with complex rules and then a “security reminder in case of lost password” - following the same damn complex rules as the password! I wrote both down.

For most things which have frequency/re-use issue but not horrid complexity masks I usually pick a song and cycle through the lyrics. For systems I administer (e.g. root/other priv passwords) there is usually some in joke on my team I can cannibalize.

I’m not convinced that writing down passwords is bad if it is done rationally. They sticky note on the monitor with helpful labels is really bad. The notepad in the locked file cabinet or the index card in the wallet with only a vague or cryptic note on which password is for which service? Not so much.

One of my coworkers uses a password manager on his desktop, and just has to remember the password to that.

]]> By: Vicki http://blog.xcski.com/2008/05/05/why-dont-companies-get-the-message-about-password-changing#comment-89045 Vicki Mon, 05 May 2008 18:20:02 +0000 http://blog.xcski.com/?p=1338#comment-89045 Don't forget not allowing you to use any part of the url in the password. So a rational system for generating a password can't depend on the domain name, which makes it harder to devise a rational system. Don’t forget not allowing you to use any part of the url in the password. So a rational system for generating a password can’t depend on the domain name, which makes it harder to devise a rational system.

]]>