back to article You say I mustn’t write down my password? Let me make a note of that

My desk-side wastepaper basket is full. OK, sure, first world problems and all that, but it’s 8am and I have only just walked in to the office. Why would my bin be full? I haven’t put anything in it yet. Despite being full, this bin does not contain what an office bin is supposed to contain: there’s no half-full coffee cup, …

  1. nijam Silver badge

    It's easy to deal with the demand that you don't write it down when being read the password over the phone. Simply keep interrupting at random points in the password with the phrase "sorry, I can't remember what the first letter was, can you start again, please?"

    1. Prst. V.Jeltz Silver badge

      Read out over the phone?? good god , that could be anybody. At The last place I worked at IT managemers decided that to cause maximum disruption to work flow, idiots forgetting passwords would walk to the helpdesk in person to receive their new one in order to prevent vague data protection / security blah blahs.

      and what are you doing still having individual bins? you are supposed to have 3 large different coloured recycling bins per floor! was this in the 70s? were the astrays emptied?

      1. Anonymous Coward
        Anonymous Coward

        You jest...

        But have there not been some massive security breaches when kids get the IT/support phone number and say they need reminding of their password?

        Oh and this just happened (though not password related) : http://www.theregister.co.uk/2016/03/11/bangladesh_bank_cyber_heist_1bn_dollars_nearly_stolen/

  2. ARGO
    Thumb Up

    XKCD

    Glad to see that reference sneaked in before the end.

    1. Rob Quinn

      Re: XKCD

      It sounded familiar, instantly recognised after a quick google, Cockwomble is a BOFH reference as well I think.

    2. Alistair Dabbs

      Re: XKCD

      Not really. The first time I read the word "cockwomble" was when it was used to describe Kanye West.

      1. Anonymous Coward
        Anonymous Coward

        Re: XKCD

        Not really. The first time I read the word "cockwomble" was when it was used to describe Kanye West.

        Must have been a while back then. Nowadays the descriptions for him are not nearly as polite. Still correct, just not quite as civilised..

    3. GregC
      Happy

      Re: XKCD

      Thankyouverymuch, that's where I'd seen it before.

    4. BigAndos

      Re: XKCD

      That cartoon made a very good point actually. Sentences are easy to remember but would take a long time to break in a dictionary attack. Many password policies enforce a maximum length limit, and insist on mixtures of upper/lower case, numbers, punctuation etc. Combined with the fact "single sign on" is still a distant dream in many workplaces it is no wonder people find it hard to keep track of all their passwords!

      1. Anonymous Coward
        Anonymous Coward

        Re: XKCD

        Actually breaking a password made up of a sentence containing several words is straightforward - random letters, numbers and non-alpha characters are much harder. Can't remember where I read that though...

        1. Havin_it

          Re: XKCD

          I can't either but it's logically true. I think the solution is two-fold:

          1. User chooses long passphrase that they *will* remember (preferably from deep in the psyche so not too social-engineerable) à la correcthorsebatterystaple.

          2. Trick-out a couple of characters in a non-obvious way (no 13375p34k) and keep *just* that info in your wallet with the other shit you really value, not stuck to your monitor (thanks Bruce Schneier). You'll probably find you remember where they go before long and won't need the note.

          NB. This is not what I do for anything I'm real paranoid about protecting, but I have a good memory for such things. Many aren't, for whom it's all about breaking up the attack surfaces.

          More salient NB. Any non-trivial password-protected system should have a limited number of "strikes", then brute-forcing is not an option and we can all have (fairly) crappy passwords anyway. Whether the appropriate response to genuine forgetfulness is resetting the passphrase or simply nuking the protected vault (at cost to the forgetter's pay-rise, career, liberty...) is application-specific.

          1. israel_hands

            Re: XKCD

            "More salient NB. Any non-trivial password-protected system should have a limited number of "strikes", then brute-forcing is not an option and we can all have (fairly) crappy passwords anyway."

            The problem with auto-lockouts like that is that it makes DoS trivially easy. If you can get the username of an individual/group/company (something like a staff directory and knowledge of how they construct their usernames) you can just spam any online login with shit passwords* and lock out the legitimate users.

            Scripting something like that is fairly simple and it would give the IT dept a massive headache and generate enough ill-will to cause some serious bollockings. And if they use single sign-on you've just locked them out of all their systems...

            * Obviously, if users actually have shit passwords then you'll accidentally crack some accounts open.

            1. Michael Wojcik Silver badge

              Re: XKCD

              The problem with auto-lockouts like that is that it makes DoS trivially easy.

              And auto-lockout has little security value anyway. Brute-force attacks are rarely made against the login mechanism, and can be mitigated by throttling attempts with a small delay. Auto-lockout only prunes a few rather small branches of the attack tree: where the victim has chosen a guessable password and the attacker has sufficient knowledge to try probable ones, for example, or where the password space is far too small.

              Successful brute-force attacks are almost always offline attacks - they happen when the collection of password verifiers is exposed. Auto-lockout has no relevance then.

              Auto-lockout also fails if the attacker doesn't care who the victim is. Back in the late '90s, it was common for banks to use account number plus a numeric PIN for online access. So researchers demonstrated an attack where they picked a PIN at random, then varied the account number until they got a hit. Lockout doesn't do shit for that attack.

              Lockout is one of those fairly idiotic policies that's still around due to a cargo-cult security mindset among people who either don't want to do real threat modeling, or don't want to ever drop pointless policies for political reasons.

              What auto-lockout does do is discourage long, strong passphrases and encourage writing down passwords and password hints. It weakens password-based security systems - it doesn't strengthen them.

              Of course, the person you're replying to, who recommended lockout, also wrote that the previous claim (breaking a passphrase composed of a series of words "is straightforward") was "logically true". If you take security advice from someone whose expertise is of that caliber, you get what you deserve.

        2. Adam 1

          Re: XKCD

          > Actually breaking a password made up of a sentence containing several words is straightforward - random letters, numbers and non-alpha characters are much harder. Can't remember where I read that though...

          It's probably good you can't remember where you read that because it is bad advice. Your password strength is log base2 of alphabet size to the power of the length of the password. Bigger is better.

          For example, consider a 4 digit PIN for an ATM card. The alphabet size is 10 (0 through 9) and length is 4, so the strength is log2 of 10^4 = ~13 bits of entropy

          If you jump to say a 10 character random password, we have to agree on the alphabet first. Say 26 lower case + 26 uppercase + 10 digits + 30 symbols (the ones I can easily type with my keyboard here) + 1 space = 93. log2 of 93^10 gives ~65 bits of entropy.

          Now consider a password made up of 4 randomly selected words**. In this case, it is disingenious to consider the alphabet to be the same size as the random password (although in practice it would require the attacker to know that you didn't use such symbols). Let's assume they know your technique for the minute, and let's assume English only for simplicity, and lets assume you capitalise the first letter of each word. In this case your alphabet is about 350,000 and your length is the number of words you use. log2 of 350000^4 gives ~74 bits of entropy.

          So RinseBubbleOvalBounce is ~500 times harder to crack than GV45#5kd3;

          Both passwords offer excellent protection, but I know which one you would have to write down.

          **Of course if the words are not chosen at random (eg a verse or quote or meme or something) then it will be no more secure.

      2. harpingon

        Re: XKCD

        My son, who's 8, now has five different logons with passwords to remember for disparate systems at his primary school. No SSO there. It's ridiculous. I have them stored in my password vault, but they go stale really quickly for reasons which must be obvious.

  3. Putters

    Clear Desk

    We had a clear desk policy after a little incident at the office block where I worked.

    http://www.highrisefirefighting.co.uk/cstelstar.html

    We were based on the 6th Floor (the fun started on the 7th). What was very noticeable was that the stuff that was in cupboards and desk drawers etc survived. Stuff that was on desks was water damaged and, in many cases, had sprouted quite a lot of green hair and possibly some new antibiotics - as it was a few days before anyone could get safe access to recover it, and there was a lot of moisture in what was for some reason quite a warm building ...

    1. allthecoolshortnamesweretaken

      Re: Clear Desk

      Thanks for the link, I can actually use that at/for work!

      IIRC the 'Clean Desk Policy' was started by the consulting firm Kienbaum*, at least over here in Krautistan. Old Mr. Kienbaum himself would prowl the offices at night, accompanied by a janitor armed with a very large bin bag. On a related note, Jil Sander doesn't like potted plants in her offices, so all the windwsills are slanted at a very steep angle.

      * Think 'McKinsey' if Kienbaum doesn't ring a bell. A consultant by any other name, etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Clear Desk

        "Old Mr. Kienbaum himself would prowl the offices at night,"

        Back in the 1960s a new head of the computer division was appointed from the washing machine division. He had a reputation for being a "hard man".

        He started to walk round the computer factory at night asking questions about what people were doing. Now a man in a suit at that time of the night is likely to be senior management. People had been used to the previous head man doing that - it gave a sense of "family" and he was genuinely mourned on his death in that post. So people answered the new man's questions. The next day he fired them for breaching security.

        1. Anonymous Custard

          Re: Clear Desk

          Around here all a clear desk earns you is being the ground zero dropzone for all the incoming parcels of parts and stuff that reception bring in and just dump on the closest available area, even if they have nothing to do with you nor are you the intended recipient on the address label.

          This does of course always occur just prior to a SMBWA ("safety management by walking around", or colloquially "some muppet bloody wandering aimlessly") audit, most commonly when you're out of the office on the customer site actually doing the work that keeps everyone else in employment and wages.

          The trick is of course keeping your desk cluttered enough to dissuade the above (and to appear that you actually do some work), but not full enough to incur the wrath of those with nothing more profitable or useful to do than make such audits.

          1. Anonymous Coward
            Anonymous Coward

            Re: Clear Desk

            And Dabbsy hopes "the clear-desk policy could be revived for the digital age"?

            WTF is he on? There's more than 30,000 unsorted emails in my inbox archive, and I can find 99% of what I want in moments. I live in fear of some tidy minded, cost obsessed twat deciding that email archives are too expensive, and putting some shitty, arbitrary limit on the space I can occupy (saving a few pence a year per employee, when my total costs of employment are, well, quite a lot.

      2. Roland6 Silver badge

        Re: Clear Desk

        The example I use is the Buncefield oil depot fire at Hemel back in 2005, which took out an IT business park, plenty of pictures on the web.

        http://www.computerweekly.com/feature/As-firms-count-cost-of-oil-depot-blast-what-are-the-disaster-recovery-lessons

        1. David 132 Silver badge
          Happy

          Re: Clear Desk

          The example I use is the Buncefield oil depot fire at Hemel back in 2005

          True story - an old friend of mine worked for 3Com in their building on that campus, and had been made redundant mere days (IIRC) before the fire. The building he worked in was significantly trashed by the explosion.

          Afterwards, we gave him no end of ribbing along the lines of "sheesh, most people would have taken their redundancy pay, chalked it up to experience, and moved on with their lives. You had to take it more personally, huh?"

          1. Anonymous C0ward
            Flame

            Re: Clear Desk

            Well they did steal my stapler.

            1. Triggerfish

              Re: Clear Desk

              Our work has a clean desk policy. I stop work ten to five now and tidy my desk, its great I am out exactly the time work finishes, also I get a nice few minutes in the morning digging out all the important stuff that was nicely laid out on my desk and arranging it into the "mess" it was the day before.

    2. TeeCee Gold badge
      Happy

      Re: Clear Desk

      I remember a great story in one of the Dilbert newsletters that Scott Adams used to mail out.

      A clean desk policy was introduced and the Boss said that, owing to the lack of compliance, the cleaners had been instructed to remove all paper from desks at night and deposit it in his office. Anyone wanting their shit back would have to come and beg for it and also explain why it had been left out in the first place.

      The result, of course, was that his office gradually filled up with waste paper that nobody wanted. Leaving it lying around for the cleaners was so much simpler than getting up and going to the recycling bin......

    3. Marshalltown

      Re: Clear Desk

      Heh - it took a break in, where the baddies attempted to disguise their work with a fire to convince my boss of the usefulness of off-site backups of both hard copies and electronic data. In some instances several years of work on a project were stolen or destroyed by the arson fire.

    4. badgames
      Mushroom

      Re: Clear Desk

      I had a management type tell me that I should leave my desk clean back in the '80s, and that I shouldn't handle a piece of paper more than once. My response (since he wasn't MY manager) was that anything that required handling more than once wound up on my desk, and that if a cluttered desk signified a cluttered mind, then what did an empty desk signify?

  4. Dan Wilkie

    So just to check I have this right... They took the passwords off of peoples screens as a security risk (fair enough), then put them in the normal waste bin to be thrown into the outside skips?

    Where people are?

    1. Anonymous Custard
      Headmaster

      If they were doing it right they'd just swap all the notes around with those stuck on other random monitors around the place (which may or may not have had password post-its on them themselves originally), and then watch as people have to track down their own passwords and some of the ensuing bartering and bastardry that goes on.

      Brings back all-too distant memories of schooldays, when the foolish comp-sci master gave me admin privs on the server. Two others in the class (who hated one another) found out and spent days pestering me to give them the password of the other. So I duly did - I swapped them over and just told each that they now had the others password.

      Cue a Mexican stand-off that the whole class enjoyed, including the master who was going to bollock me for doing it but couldn't keep a straight face long enough to do so, and then privately told me it was one he'd use himself in similar future situations.

      1. Havin_it

        >swap all the notes around with those stuck on other random monitors around the place (which may or may not have had password post-its on them themselves originally), and then watch as people have to track down their own passwords and some of the ensuing bartering and bastardry that goes on.

        Only works if everyone's sticky-note also includes their username; and if usernames are difficult enough to forget, then you need either a new IT Div (if they imposed them using any system that wasn't "Your Full Name [Plus An Incremented Integer If Required, hello El Reg]) or new users (if they chose their own and can't remember them).

        Or everyone knows each other's handwriting well enough to forge each other's company cheques, in which case you may have bigger problems down the line...

      2. Sherrie Ludwig

        MAD

        Sort of what the USA and USSR had back in the day, MAD, the aptly named Mutual Assured Destruction, aka "you launch your nukes, we launch our nukes, it'll be the last thing you ever do".

  5. Anonymous Coward
    Anonymous Coward

    stick notes ?

    Sticky notes are for wimps. In my earlier days (when many users still had proper terminals, not these "computer" type thingies) I found out by accident that a user had actually physically carved his password in the terminal keyboard. Upon questioning, he found this suffiently secure since people didn't know his user name (which was, at the time, his first name, same as with everyone else. small company).

    This password wasn't changed for years, so as a test we replaced the keyboard with another one, with a similarly carved but different password. Next day he was locked out. The mind boggles.

    And no, he wasn't sacked. Senior management. Luckily very senior, he retired soon after that.

    1. Steve Gill

      Re: stick notes ?

      Why does the mind boggle? Many people struggle to remember things, even things they use every day for years. I have a friend who can't remember his wife or kids' names, drives him nuts but he just can't do it.

      1. Fred Flintstone Gold badge

        Re: stick notes ?

        I have a friend who can't remember his wife or kids' names, drives him nuts but he just can't do it

        There is an XKCD cartoon for that too (one of my personal favourites) :).

      2. Tabor

        Re: stick notes ?

        The new password carved was similar in nature, as in number of characters. Other than that completely different. So not just substituting E for 3 or L for 1. I know of people who have difficulty remembering things, but in the case of your friend : even if he couldn't remember his wife was called Maggy, I assume he would still know you would be incorrect if you claimed it was Linda. At least that's what my experience is. You might not remember a word, but you know what it's not when questioned. And even then : in the case of a password typed in daily, something feels "wrong" when typing in a different one if it changed (does with me anyway, some kind of physical memory I guess).

  6. Anonymous Coward
    Anonymous Coward

    I loathed the clear desk policy.

    I was my boss' PA & he kept HIS desk clean by moving it all to MINE instead. All the fat file folders with hundreds of pages of legal print outs, all the faxes & printed out emails that he "needed to keep handy", all the memos & notes either generated by him or left on his desk awaiting his attention, he would shovel it on to MY clear desk in order to free up his own, thus leaving me with a metric fekton of crap to organize just before leaving at the end of the day.

    That fat bastard would then bark at me to retrieve the stuff he needed because HE hadn't organized his stuff, he'd left it to me to find a place to file it instead. Fine, that's my job after all, but damn it was it necessary to do it 5 minutes before closing after I've finished cleaning up my own mess? Now I'm stuck doing his stuff after hours while he buggers off to his car & whatever life he had outside work.

    Passwords on sticky notes? That turd expected ME to remember all HIS passwords & would snap his fingers demanding to be told what the latest one for whatever program he was in at the time. Did it ever occur to him that ME having all his passwords was EXACTLY what all those warning emails from IT were about & that he was in fact violating corporate policy? Not on your life. I'm just a lowly PA after all, I can be trusted to keep his boss' secretes, right?

    Yeah, right up until I "accidently" get all your passwords reset by calling up IT myself & asking sweetly could they PLEASE reset my boss' passwords for me "as he's going to need this report done before he gets here this morning & I can't get into his files for the data I need to complete it"...

    Oh lookie, Boss gets a call from the head of IT chewing him a new arse because he shares his passwords with other employees in clear violation of the rules. PA's fault? Nope. PA's just doing what the Boss ordered them to do. It's the Boss' fault for sharing the passwords in the first place.

    Hey, is that the now EX-Boss leaving in a huff? I suppose this new guy is my new Boss then?

    Oh my, he's just asked me to keep track of his passwords for him...

    *Sigh*

    Damned clear desk policy.

    1. Anonymous Coward
      Anonymous Coward

      Re: I loathed the clear desk policy.

      "Hey, is that the now EX-Boss leaving in a huff? I suppose this new guy is my new Boss then?"

      Trouble is that only works half the time. The other half it's the IT guy out the door because it turns out the one violating all the rules is also on the board.

  7. Pete 2 Silver badge

    It's not a password, it's a TO DO list

    1.) T1dyUp

    2.) G0t0lunch

    3.) MeetSa11y

    4.) Chan8epassw0rd

    1. Steve Davies 3 Silver badge

      Re: It's not a password, it's a TO DO list

      plus the oblig

      5) TheBossisaBarsteward2016

      6) HeissleepingwithhisPA69

      7) CleanDesksAreForLosersP45

      8) AllPasswordsSuckRoyallyP100

      etc

      etc

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not a password, it's a TO DO list

        "5) TheBossisaBarsteward2016"

        We were once asked to set up an internal questionnaire about IT services for an organisation, in which we asked for user email addresses so they could get the results of the survey. But the head of IT didn't like it. So he instructed staff that they were not to supply their real email addresses in the box.

        Some people in the IT department, however, wanted to get the results as they suspected their boss wouldn't tell them the truth. So they set up some special addresses for themselves.

        XYZisamuppet@

        XYZisauselessmuppet@

        and so on.

        We naturally redacted the results before passing them on. He was then less than pleased to realise that the results were now anonymous, and that some of them had diatribes about his competence in the comments box.

    2. harmjschoonhoven

      Re: It's not a password, it's a TO DO list

      The password is secret.

  8. Anonymous Coward
    Anonymous Coward

    One of our C level went round the office (well, customer care) at 1830 one day and implemented the clear desk policy by piling everything up on a trolley and locking it in a cupboard. He was warned off the R&D area, luckily. Unfortunately managed to unplug switches, wifi routers, PBX equipment... Left the company two days later. Still don't know if the two were related...

  9. Anonymous Coward
    Anonymous Coward

    Auto generated passwords

    I'll never forget my first AOL trial CD. My password was "swollen balls". At least I hope it was auto-generated.

    (No I didn't actually use AOL)

    1. Boothy

      Re: Auto generated passwords

      "Honey, the free coaster delivery is here"

    2. Stevie

      Re: Auto generated passwords

      Why not? In it's day it was spiffy. I don't use it now, but I'm not ashamed I once did, over dialup at 33 1/3.

      1. Edwin
        Windows

        When I was your age...

        My first personal commercial internet connection was a terminal session (Pine, Lynx, TIN) on a 1200baud Hayes. Of course, real dinosaurs remember acoustic couplers and 300 baud.

        1. TheOldGuy

          Of course, real dinosaurs remember acoustic couplers and 300 baud

          Guess that makes me a dinosaur then...........

          1. allthecoolshortnamesweretaken

            Re: Of course, real dinosaurs remember acoustic couplers and 300 baud

            Radio Shack / Tandy had a solder-it-youself kit for the acoustic coupler's electronics, and a pair of headphones made a good combination of microphone, loudspeaker and rest for the handset, with some tinkering. Good enough to connect a C64 to a bulletin board...

        2. Stevie

          Re: real dinosaurs remember acoustic couplers and 300 baud.

          Yes, I had one of those too, when I had to lug around a "Silent 7000" teletype.

          Not silent. only semi-portable. Slower than spelling stuff over a phone sometimes, and required a "standard" handset that was not standard at the time, so one of those had to be carried around too.

          Would it save time if I just agreed yours was bigger?

          1. Synonymous Howard

            Re: real dinosaurs remember acoustic couplers and 300 baud.

            I still have the 300/75 acoustic coupler that I used with my Cambridge Z88 in the early nineties. I remember having to use it to connect back to some Unix systems I was managing whilst away and hanging around in BT phone boxes.

        3. Doctor Syntax Silver badge

          Re: When I was your age...

          No, real dinosaurs carved out the message on monoliths in runes with the phone handset beside them. The computer worked out what was being written from the sound of the tapping.

        4. Steve K

          Re: When I was your age...

          300 baud? Luxury!

          When I started we just shouted 1s and 0s down the phone line to each other.

          If someone replied "Pieces of 7" you knew it was a parroty error.

          1. Edwin

            Re: When I was your age...

            Dammit Steve K. You owe me a keyboard.

      2. Anonymous Coward
        Anonymous Coward

        33 1/3

        You spin me right round, baby, right round.

      3. Edwin

        Re: Auto generated passwords

        <pedant>33k6!</pedant>

  10. Sykobee

    Generally speaking, if an attacker has access to your physical desks, you've lost already.

    So maybe the problem is accidental disclosure of passwords via photos/videos on social media or otherwise... in which case passwords in a notebook should be fine.

    However what appears to be needed is an office single-sign-on and integration into the services that all require separate passwords at the moment.

    Let's not mention the placement of passwords and other sensitive information in standard waste paper bins rather than secure disposal units.

    1. Anonymous Coward
      Anonymous Coward

      We have had a global ruling in all our offices of no use of cameras of any type, including those built into phones, laptops etc.

      About a couple of years ago, they decided to switch from BBs to Smart Phones, which are Android, and come with a built in camera, which we have to use for expense claims (Concur).

      So doing your expenses in the office, is officially breaking the rules (rules that everyone just ignores now anyway!).

      In the last 6 months, we've migrated from Lotus Notes, to Office 365, including Skype for Business, and are now being encouraged to Skype people, including video, rather than phone them.

      I checked, the security policy, is still states no cameras in the offices!

      Nice to see the corporate world is in sync between departments!

    2. Fibbles

      Fair point about physical access. Perhaps keep the notebook in a locked drawer?

  11. BitDr

    Three words...

    Password Manager Application.

    One password will have to rule them all so make sure it's not something obvious like your name, your pets name, your address or your favorite sports team, etc. Don't use a cloud service, if they get cracked and/or accidentally release millions of stored accounts to the world+dog then you have to change everything.

    1. Anonymous Coward
      Anonymous Coward

      Re: Three words...

      The types I've worked with would use it, but then write the master password for that on a piece of paper..

      1. BitDr

        Re: Three more words...

        Can't...fix...stupidity.

    2. Anonymous Coward
      Anonymous Coward

      Re: Three words...

      I've used KeePass for a while now, and quite happy with it.

      Uses a local encrypted DB, which you can then pop onto a pen drive, or cloud storage as you wish.

      I then use Keepass2Android Offline on the phone.

      1. A K Stiles
        Coat

        Re: Three words...

        Problem with that is our place enforces bitlocker on usb storage, itself then requiring a password to unlock...

        I'd use the joke icon, except it's anything but!

  12. TRT Silver badge

    It's Ok! I use thumbprint verification...

    And as they've banned paper, electroconductive ink and gummibears from the workplace it's all hunkyd0ry.

    1. Rich 11

      Re: It's Ok! I use thumbprint verification...

      They've banned paper, electroconductive ink and gummibears, but not knives...

  13. FuzzyWuzzys
    Pint

    I learned a valuable lesson at one site very early in my career. The techs would write down the passwords on bits of paper, then they started finding developers getting more access to things they shouldn't. Turned out the devs would turn up late, stay late to prowl Ops techs desks looking for the "mystical keys" on scraps of paper!

    At the time I bought a memory study course, studied it and learned ways to remember around 50-60 separate passwords at a time. Sadly old age is catching up with my knackered old brain and I now rely on one of those mobile phone password safes.

    1. Danny 14

      now age has caught up with me, I cant remember the passwords from last week but I have no problem remembering ones from the 90s

      1. ITS Retired
        Happy

        Have you thought of reusing those old passwords?

        Some anyway still might work.

      2. jerryboam
        Trollface

        Simple, change all your password to the ones you remember.

        I am so old my passwords are TorreyCanyon, MartinLuther and DinosaursWip3dOut.

  14. R Soles

    Clear desk policy

    Way back in 2000 I worked for a computer company where one of the pointy haired bosses decided on the spur of the moment to implement a clear desk policy in a rather "provocative" way.

    Returning one morning from an off-site meeting the previous day, I found my laptop had mysteriously disappeared.

    This was the opportunity for said PHB to loudly deliver a security lecture to the whole office*, before grudgingly giving me my laptop back.

    However, I guess the look I gave him was clear enough, as he didnt try that stunt with anyone else.

    *nobody, but nobody, in the entire company locked their laptops away overnight, or used kensington type locks, because there was card-controlled access to the building, and all bags were searched on entering or leaving

    1. Anonymous Coward
      Anonymous Coward

      Re: Clear desk policy

      Card Controlled Access I find are usually crap, they mostly just magnets and most companies don't spend enough to cover all the doors.

      So queue someone going into the office pushing a side door which should have been locked, turning a fuse off to several others and stealing a crusty old server (Brand new one above it was left???).

      Anon because no one likes to talk about that here.

      1. Stoneshop
        FAIL

        Re: Clear desk policy

        Card Controlled Access I find are usually crap, they mostly just magnets and most companies don't spend enough to cover all the doors.

        Card access and CCTV notwithstanding, a couple of years back a bunch of thieving scrotes just heaved a pavement tile through a ground-floor window, and made off with a bunch of laptops.

        Most of them not being locked.

        And one of those being the security manager's.

    2. Mark 85

      Re: Clear desk policy

      Card access doesn't stop the insiders. We had bunch of the old 19" CRT that weighed in at about 75 pounds (35 kg) taken. Brand new and in the box so you know this some years ago. A manager came in late one night to pick up something for an early off-site meeting and found the security guards loading monitors into a van.... Who watches the watchers?

    3. Doctor Syntax Silver badge

      Re: Clear desk policy

      "This was the opportunity for said PHB to loudly deliver a security lecture to the whole office*, before grudgingly giving me my laptop back."

      This was the point at which you should have said "So that explains it. It was running the remote server for the client demo...."

  15. Doctor_Wibble
    Megaphone

    RTF Email

    An unexpected double-meaning there, one an instruction and the other a curse!

    Not just colleagues though, the problem also exists for people at whom we wish to throw copious amounts of cash as an actual paying customer, something I see from time to time to my complete empuzzlement and peed-offed-ness. And something an associate has been swearing about for weeks, apparently anything to do with building repairs only ever gets a response if you have a camera crew and/or short baldy in tow.

  16. Mage Silver badge
    Pirate

    Passwords and disaster recovery.

    If it's anything important a relative or workmate etc needs to access, write down the passwords, user, email, machine, website etc. EVERYTHING.

    Put it with your will or something else that will not be accessible to neer-do-wells, thieves, small children and will 100% turn up if you are knocked down / heart attack / stroke / randomly shot etc.

    1. A K Stiles

      Re: Passwords and disaster recovery.

      I did consider the fail-safe cron job / standing order to send relevant passwords / money to the right people in the event of my demise. i.e. need to reschedule the job each month to stop it sending the password file to the appropriate recipient.

    2. Anonymous Coward
      Anonymous Coward

      Re: Passwords and disaster recovery.

      "Put it with your will or something else that will not be accessible to neer-do-wells, thieves, small children and will 100% turn up if you are knocked down / heart attack / stroke / randomly shot etc."

      I don't know if you can really do that. After all, what if the ne'er-do-well is your spouse or kin?

      1. Blue Pumpkin
        FAIL

        Re: Passwords and disaster recovery.

        Oh yes, I remember when the power went and the generator didn't kick in .... only then did they realise that the emergency procedures and DR process were securely kept only in electronic format.

        Needless to say that did not last

        1. Ellis Birt 1

          Re: Passwords and disaster recovery.

          generator didn't kick

          Northgate's generators did them no good when Buncefield went up. In fact, they were unseated from their mounting against the Bumcefield fence and ended up embedded n the building.

          Never assume power is uninteruptable!

  17. Anonymous Coward
    Anonymous Coward

    When I worked for MOD our password system used to be the usual "At least 10 characters long, contain at least 1 uppercase, 1 number and 1 special character" and we were forced into changing them every month and it remembered the last 10 and also pattern matched looking for similarities from previous variants, so actually it was OK and reasonably user friendly.

    But then...

    A random password generator was thrust upon us to make us more secure: Const-vowel-const-const-vowel-const-number-Const-vowel-const-const-vowel-const-number

    So (for example): baszol4fonqit6

    A random security sweep a few months after it was introduced (of our clear-desk-policy area) revealed scores of post-it notes under keyboards, inside unlocked drawers, pinned to calendars (and even, in one case, written in the corner of a little used whiteboard) - when almost no infractions had been previously discovered.

    I left shortly after when they also, effectively, banned Christmas (the year I left Christmas cards (which had been previously been given a waiver) were included in the clear desk policy and weren't allowed to be displayed...)

    Anon because I still have to work with some of my ex-employers at my new organisation.

  18. Richard 126

    I have fake passwords tapped to the edge of my screen. I figure it might keep someone amused for a bit trying to find out why they don't work.

    1. Darryl

      Yeah, it's all fun and games until they hit the max attempts and lock all of your accounts out...

  19. FredTheBaddy

    Clear Desk Policy

    Far from a thing of the past, is a requirement under ISO27001.

    1. Anonymous Coward
      Anonymous Coward

      Re: Clear Desk Policy

      Isn't that in ISO 27002? I keep mixing them up :)

      To be honest, I never had a problem with it at MoD. In some jobs it's simply part of the routine. Far more amusing was the regular change of dial lock codes - we had a navy cryptologist who could open these things anyway (apparently nights at sea are really boring, so he worked this out to amuse himself) :).

      I rather liked dial locks. Far more interesting than the boring modern pushbutton equivalent..

      1. Chris King

        Re: Clear Desk Policy

        Isn't that in ISO 27002? I keep mixing them up :)

        We're almost getting into Space Corps Directives territory here:

        39436175880932/B: "All nations attending the conference are only allocated one car parking space" or

        39436175880932/C: :"POWs have a right to non-violent constraint" ?

      2. Anonymous Coward
        Anonymous Coward

        Re: Clear Desk Policy

        "we had a navy cryptologist who could open these things anyway (apparently nights at sea are really boring, so he worked this out to amuse himself)"

        A former colleague once found himself stuck in a hotel for a long weekend with nothing to do except wait for a Monday morning flight..

        He had a combination lock briefcase so set out to try every combination from 000 000 upwards.

        He simply wanted to get an idea of how long a full brute force attack on the thing was likely to take,

    2. Stoneshop
      Coat

      Re: Clear Desk Policy

      So, llike this?

      1. Anonymous Coward
        Anonymous Coward

        Re: Clear Desk Policy

        So, like this?

        Actually, I had a desk like that. All it took was some intelligent use of black 50x50mm cable ducts (conveniently sold in packs of 2m length - I use these a *LOT* to clean up cable messes) and it was usable for IT.

        You do need to be careful in which mouse you use, though. I found that the Logitech "Anywhere MX" mouse works quite happily on a transparent glass surface.

      2. Doctor Syntax Silver badge

        Re: Clear Desk Policy

        "So, like this?"

        It reminds me of a quote from Len Deighton which goes something like "Bret's desk was like his women with shiny legs and see-through drawers".

  20. Anonymous Coward
    Anonymous Coward

    Civil service

    Two civil servants explained how they handled their offices' clear desk policies.

    The first used to put the contents of his desk top into a very large envelope. He then addressed it to himself and put it in the internal mail - to be delivered to him first thing next morning.

    The other was fortunate in having been assigned an old fashioned roll-top desk. He merely closed and locked the roll-top before he left.

    1. Joel 1

      Re: Civil service

      Absolutely! If someone wants me to have a secure desk, give me a rolltop desk.Covers all the requirements of securing laptops, PCs etc, and anything on my desk is secure.

      If they don't want to get me a rolltop desk, then clearly the policy isn't that important...

      There is always the option of the lockable workspace - I believe they used to be called offices...

      1. Anonymous Coward
        Anonymous Coward

        Re: Civil service

        "There is always the option of the lockable workspace[...]"

        The office did a big refurbishment of the building - including lots of small and large cupboards for security. Site Services weren't very happy when I pointed out that all the locks had visible numbers - and a very small set of different numbers covered the whole building.

  21. Anonymous Coward
    Anonymous Coward

    someone higher up in my I.T. dept decided to implement a "clear desk" policy by deleting without warning an unbackedup temp storage volume that was full of the rest of the I.T depts stuff. years of stuff. no warning. seriously no warning - not so much as a by-your-leave , or a casual heads up . nothing.

    Please imagine the 'pissed off with flames' icon is used here

    we have a tough enough job without other members of your team sabotaging your efforts

    i

    1. Known Hero

      Really dick move. But unfortunately he had a point, and I bet its backed up now ;)

    2. Anonymous Coward
      Anonymous Coward

      "[...] I.T depts stuff. years of stuff. no warning. "

      We did an internal office move into newly refurbished quarters on the same site. On the Friday we left all our stuff in crates to be moved over the weekend. On unpacking we realised that all our extension cables were missing. There was apparently a new 'elf & safety policy that extension cables were now verboeten - so they had all been extracted and thrown away. That didn't help us when we arrived on a customer site with monitoring kit and needed power from a distant socket.

  22. Anonymous Coward
    Anonymous Coward

    Mississippi

    I once had a young American chap working for me and from time to time he needed to man the phones and perform password resets. For reasons that escape me he decided to reset one password to Mississippi but with each occurrence of "i" replaced with "1" and each of the "s" characters replaced with a "5". Rather than spelling it out letter by letter he simply told the poor lass on the other end of the phone what he had done. After a fruitless half hour on the phone with multiple attempts getting her to login it became apparent that she did not know how to spell Mississippi ...... and neither did he.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mississippi

      "[...] it became apparent that she did not know how to spell Mississippi [...]

      In England in the 1950s there was a children's rhyme, possibly for skipping, that went "Missus M Missus I Missus SSI - Missus S Missus S Missus IPPI

    2. Captain DaFt

      Re: Mississippi

      >Mario Voice<

      Emma come-a first.

      I come-a next.

      Then two assa come-a together.

      I come-a again.

      Two assa come-a together one more time.

      I come-a once-a more.

      Pee-a twice.

      I come-a once more time in the end.

      Anna thatsa how you spell-a Mississippi!

  23. DropBear
    Joke

    One small niggling concern about the clear-e-desk policy proposed - how does one arrange emails in a square fashion?!?

  24. 9Rune5
    Coat

    "keeping user names and passwords on bits of paper anywhere near our computers is deemed a security risk "

    (...)

    "One colleague even went full retard and wrote his logins directly on the surface of his desk using a permanent marker"

    Well... if the new policy bans passwords on paper, then clearly the ol' permanent marker on desk trick is the way to go here. After all, if somebody gains access to the office, they'd have to lift the entire desk to get at the passwords (after all, nobody carries carbon paper around these days). Sounds perfect to me.

  25. Cannie charles

    I write down passwords as a series of letters , each letter is the first letter of a name . A line under the letter means I enter the last 3 letters of that name , line above , the first 3 letters . If any letter is circled , the whole name . Will also include birth years , first letter of name followed by Y . Line under the Y , means last 2 digits of year , circled means whole year .

  26. Anonymous Coward
    Anonymous Coward

    Optional memory.

    I only memorized 3 passwords in all my life. I cycle between them, and combine them with mnemonics to create new ones.

    I just need an qwerty standard keyboard to remember all of them. The others are written under the battery of my cellphone, in a stamp that looks like a repair shop note.

    I had some problem after I traded the phone for one that cant remove the battery...

  27. Chris King

    In the event, the employees turned up, panicked like shit, ran around shouting with their hands in the air, smashed windows, looted shops, set fire to a BMW and threw rocks at the police.

    Or as we IT security guys call it, "Monday". *sigh*

  28. Martyn 1

    I remember watching a news item a few years ago where they were interviewing Inspector Knacker of The Yard over some incident, over his shoulder in the background you could see a terminal on a desk and written above it on the whiteboard in HUGE letters was :

    Username: PCPlod

    Password: hefelldownthestairsyourhonour

    (names changed to protect the guilty)

    Anyway in the interests of reporting accuracy I tried to track down the actual incident and googled "police password written on whiteboard" and there's fscking dozens of them !!!!!!

    1. Adam 52 Silver badge

      Quite a lot of Police laptops are disconnected from any form of network to avoid tarnishing the evidential chain (e.g. burning DVDs of CCTV for passing to CPS). These don't have individual user accounts for obvious practical reasons so do have the username/password stuck to them.

      They are, however, kept in locked cupboards inside secure offices inside secure buildings. And more importantly don't have any data on to protect.

  29. Martyn 1

    Ironically :-)

    When I just went to post the above I was challenged for the password 'cos the one in the browser cache was wrong and I couldn't remember what I'd changed it to and none of the ones written on the pile of postits would work - Doh! ;-)

  30. Anonymous Coward
    Anonymous Coward

    XKCD has the answer in more ways than one

    I think we all forgot https://xkcd.com/538/

  31. Fihart

    No marks to the following:

    1) All-uppercase passwords -- these are a pain to type on mobile phones lacking Caps Lock. Ditto passwords involving non-alphanumeric characters.

    2) Websites and devices which obscure entered passwords with asterisks. No, no-one is looking over my shoulder, give me the option of displaying the password as I type it on my tiny, error-prone, phone keyboard.

    1. Anonymous Coward
      Anonymous Coward

      Re: No marks to the following:

      In the days of Teletypes you could use backspace as a valid password character - possibly "Bell" (Ctrl-G) too.

      At that time the Teletype couldn't be programmed to not echo selectively. So after you entered a password the software overwrote it many times until it was just a black splodge on the paper.

      1. Doctor Syntax Silver badge

        Re: No marks to the following:

        "At that time the Teletype couldn't be programmed to not echo selectively."

        IME they were set up to type only what came down the line so what you saw on the paper was what was echoed back to you. So it was up to the login program to send clear text, asterisks or whatever.

    2. glen waverley
      Joke

      Re: No marks to the following:

      The trick to solve item 2 is to have a password consisting solely of asterisks*

      *may not work on some sites with anal rules re character diversity

    3. Thomas 6

      Re: No marks to the following:

      Which mobile phones do not have a caps lock? I believe on both Android and iOS that double tapping the shift key turns on caps lock.

      I have no idea what exists for Windows.

  32. imanidiot Silver badge

    My place of employment demands that a replacement password is requested by certain senior managers (of which there are only 6). Which is just great for your productivity if your password expires first thing Monday morning, you half awake fill in a new one and then can't for the life of you remember what your sleep addled brain came up with after the first coffee break. And then of course 2 of those managers are in Singapore, a third in the States, the fourth is on vacation for 2 weeks, number five is on sick-leave and number six is somewhere on the 6 acre site doing god knows what away from his computer and email and no-one can ever pinpoint just where his is NOW instead of 5 minutes ago... Oh, and the replacement password is also emailed to the senior manager that requested it, who then has to forward it to your direct manager who THEN has to provide it to you.

    And then they start getting testy when you decide to use the communal mechanics account because you want to atthe very least get SOMETHING done instead of chasing your tail around all day trying to get a new password.

    1. RealRaven

      SSO passwords; replace every 3 months

      and with a big site you may have 60 different instances stored on the various sub-pages. Luckily I can bulk change that password with my QuickPasswords Addons now.

  33. captain veg Silver badge

    Uncrackable

    I remember as a student reading an article about password security that recommended, in addition to the usual mix of case, digits and symbols, the inclusion of control characters on systems that allowed that. "Wonder if ours does..." Turns out it did, for setting the password, but not when actually logging on. So my account was completely inaccessible.

    -A.

    1. Anonymous Coward
      Anonymous Coward

      Re: Uncrackable

      Reminds me of a friend who could touch-type. He suddenly realised a mistype had told the VI editor to encrypt his document - and he couldn't work out what he had typed after that point as the encryption password.

    2. Anonymous Coward
      Anonymous Coward

      Re: Uncrackable

      I've seen that bug in customer facing sales software. Though not an IT background myself, just working customer services.

      Them: "I cannot login to my account, number XXXXXX."

      Me: "Oh, that's a valid number, yes I can see your name, Mrs S3mith?"

      Seems our web portal took in numbers and letters, our back office and actual server running the customer policies did not. No idea how we were to fix that one. I'd have rebuilt their paperwork, but it was too much effort to get the balance transferred, so I flagged it as for the IT staff.

      But it serves them right for not sanitising or sanity checking their inputs!

  34. Terry 6 Silver badge

    Teacher passwords

    When I was in harness the first day of Autumn term was password reset day. Because we'd all forgotten our p/ws by then.

    When I was the IT manager it meant spending a couple of hours on password resetting on the first day of each term. But at least I knew everyone. When it went corporate and they had to phone corporate IT to request the new p/w I gained a couple of hours, but since there was only one IT person answering the phone and he/she had to check credentials first, it must have taken half the day at least before everyone was back in.

    OTOH a local school had a p/w reset policy for every month. No repeats of the last 6 etc.

    So everyone had to get a reset in September, and around half at the start of the other terms.

  35. Anonymous Coward
    Anonymous Coward

    Good Passwords Are Hard to Remember.

    Anything random is hard to remember.

    So are some non-random things.

    Not writing down passwords is a stupid rule. It's a superficial preventative slogan. What you really need is for passwords to be kept securely, which covers all the stupidity the article lists, such as the post-it note, but allows for the notebook in a locked drawer. How about those password-storage programs? OK if you always use the same computer, maybe OK if they work over the "cloud", but what's the corporate thinking on relying on third party services?

    Yes, I have passwords written down and kept securely. I have so many, Amazon and eBay and a dozen or more accounts with other services, and then there are the banks I deal with. And because I am saying this, I am posting anonymously.

    One of my banks, as part of the log-in, asks me for my father's middle name. It is on one of the standard documents about me, one for which he had to give his full name. I wasn't given a choice about the security question I have to answer.

    There are some crazily thoughtless people "designing" security.

    1. Down not across

      Re: Good Passwords Are Hard to Remember.

      One of my banks, as part of the log-in, asks me for my father's middle name. It is on one of the standard documents about me, one for which he had to give his full name. I wasn't given a choice about the security question I have to answer.

      But do they check it? Unlikely. When sites ask for things like "mother's maiden name", I use a random alphanumeric string.

  36. Howard Hanek
    Childcatcher

    I Have a Mind Like a Steel Trap

    .......that always snaps closed just when I need something in there.......

    I try to compose my passwords similar to something I'd like to say just before I die.........with a number and an upper case letter.....

    1. allthecoolshortnamesweretaken

      Re: I Have a Mind Like a Steel Trap

      AlL th@s3 MOM3nts ₩iLL b3 l@st iN tim3 £ik3 t3&rs_in_r&in / Tim3 t@ di3

  37. BurnT'offering

    It's simple really

    Just write your password on the back of your username

    1. Anonymous Coward
      Anonymous Coward

      Re: It's simple really

      I'll wipe the wine I snorted off the screen later - nicely surreal

      I'm toying with using SHA1SUM(<username><MMYY>) for my user password, where MMYY is the month and year of last password change. I simply login as root on a terminal, run "sha1sum gerdesj0316" and out it pops. Copy to clipboard, switch back to the Display Manager and paste it in. Finally, switch back to the console and log out root: you can't be too carefull.

      For real security, randomly change the hashing function.

      1. Wintermute

        SHA1SUM

        That's all well and good until someone calls up your CLI's command history.

      2. keithpeter Silver badge
        Windows

        Re: It's simple really

        "I simply login as root on a terminal..."

        @gerdesj: does that not simply move up one step to the security of your root password? Root can (presumably) access your home drive.

        The Tramp: I'm just a clueless end user

        1. Anonymous Coward
          Anonymous Coward

          Re: It's simple really

          >"I simply login as root on a terminal..."

          >@gerdesj: does that not simply move up one step to the security of your root password? Root can (presumably) access your home drive.

          >The Tramp: I'm just a clueless end user

          You are absolutely correct, which was the point of my silly comment. It's hard to pitch a pretty nerdy "joke" at all levels. No need for the tramp or the self flagellation (you must be a Brit - me too!)

          Mind you, my password scheme is a pretty good one, if there was a safe way of generating the hash and easily and securely getting it to the password prompt. In effect a hash of a hash of a string of characters. If you can make the transmission channel secure then the initial password could be pretty simple because a cracker would have to face the first hash as the password they have to crack and not the actual generating password. For example:

          $ echo a | sha1sum

          3f786850e387550fdab836ed7e6dc881de23001b

          $ echo 3f786850e387550fdab836ed7e6dc881de23001b | md5sum

          27f5765ef14682472b0bc02251a47381

          Now it doesn't exactly trip off the tongue but a password of "a" has generated a stupidly hard to guess "password". You could use any hashing function and you could cut the result at n characters in the first step and get a completely different result in the second. Those features are in effect your password and possibly easier to remember than batteryhorsemanagedtoavoidbecomingglueatbechersbrookbolted.

  38. ecofeco Silver badge

    Who can blame them?

    As an IT pro, I have well over ~20 passwords I have to remember everyday at work and home. The average user doesn't stand a chance.

    They can't even use the same one across all logons and sometimes not even variations!

    Single sign on systems? Great idea but still far to complicated for the average user.

    Until we get serious about user competence, they will always be the biggest vulnerability. And the only way to fix that is to educate them.

    1. Charles 9

      Re: Who can blame them?

      "And the only way to fix that is to educate them."

      But as a comedian once said, "You can't fix Stupid." Some people are simply incapable of learning. Problem is, some of these types are ABOVE you.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who can blame them?

        "Problem is, some of these types are ABOVE you."

        My job title is "Managing Director" - your's?

        1. Charles 9

          Re: Who can blame them?

          "My job title is "Managing Director" - your's?"

          Could be worse. You could be having the problem with an Executive. Nothing worse than dealing with a "know-it-all" who happens to be top brass.

  39. Doctor Syntax Silver badge

    TL;DR

    An empty desk is the sign of an empty head.

    Security is the ratio of the difficulty created for the bad guys versus the difficulty created for whoever has to do the work.

    1. Charles 9

      Re: TL;DR

      Which ALWAYS slides downwards because of Attacker's Advantage.

      1. Doctor Syntax Silver badge

        Re: TL;DR

        "Which ALWAYS slides downwards because of Attacker's Advantage."

        And User's Disadvantage.

  40. allthecoolshortnamesweretaken

    Maybe Aleister Dabbs can come up with some sort of occult login ritual? He has displayed a somewhat dubious interest in the supranational lately.

  41. jonathanb Silver badge

    My deskside bin is only used for coffee cups and banana skins. We have a recycling sack for waste paper.

  42. Wommit

    We aren't allowed our own bins.

  43. J.G.Harston Silver badge

    You had a formica desk? Luxery! At one site I worked on the "IT suite" was the food storeroom behind the kitchen with a laptop on the second-to-bottom storage shelf. The space between the shelving and the wall was two inches shorter than my thighs so the only way to get at the laptop was to wedge myself in a manspreading position between the storage unit and the wall and hope my blood circulation didn't get cut off.

    1. Anonymous Coward
      Joke

      Your not working* hard enough. You could get an entire department built for HSE sitting regulations. :D

      *In the Dilbert sense!

  44. small and stupid

    Serious luddite question

    If your system forces users to have "good" passwords, what is the point in also forcing them to change them every x months?

    1. allthecoolshortnamesweretaken

      Re: Serious luddite question

      I don't mind so much that the system at my place of gainful employment forces me to change the password every month. The annoying bit is when the system tells me that my password will expire in 14 days, and would I like to change it now? (And when I click 'no' the next day the system will ask again.)

      Why the change? If the password was really, really, really good and also really, really, really secure I wouldn't see the point either. But as it is, the passwords won't be that good really and in most cases not really that secure. So a forced change reduces the chance of the password being known to too many people and provides the opportunity to set a better password.

      Apart from that, it's sort of traditional by now, in a but-we've-allways-done-it-that way.

      I have just written a post that contains the word 'really' ten times. I guess it's really time to go to bed now.

      1. Anonymous Coward
        Anonymous Coward

        Re: Serious luddite question

        It also provides a chance server-side to ramp up the hash function. I may or may not have heard of systems that still use MD5forchrissakes because they didn't want to enforce routine password changes.

      2. small and stupid

        Re: Serious luddite question

        Rubbish

        If a user cant/wont pick a good password now, then every time they are forced to bother to make up a new one, the chance increases they will pick a bad one.

    2. Anonymous Coward
      Anonymous Coward

      Re: Serious luddite question

      "If your system forces users to have "good" passwords, what is the point in also forcing them to change them every x months?"

      Password-changing policies are meant to control unknown leaks. If a password is leaked but nobody knows it, a periodic changeover can make the leaked password useless unless they can find a way to establish another connection. It may not be effective against a brute-force attack where they try to get everything in one go, but for subtle operations where they're trying to sneak under the radar, a forced password change will either shut the door (if you change it first) or draw IT's attention to it (if they change it first).

  45. allthecoolshortnamesweretaken

    Your password is only as secure as the Post-ItTM you wrote it on.

  46. Anonymous Coward
    Anonymous Coward

    Writen passwords

    Years ago I was running the local IT department for a group of Geologists (think older), and they had multiple password policies and dissimilar system requirements, thus they could not come close to a standard policy. In fact some systems would not even permit a password that another system required.

    I found every single one of them writing down their passwords, and I knew this would not be able to be changed.

    Thus, I produced random 12 character passwords for them, and requested that they create a 4-6 character memorized simple password. They then would pretend or append the simple password to the complex password.

    That way they had a nice complex 16 character password that would be difficult for a network/digital breach, but still if someone found their "password sheet", it would still be useless for a local attack.

  47. trapper

    Flash

    I have 35 username/password combos or passwords. I have a flash drive with a physical read/write switch. If I can't remember a password, the drive comes out. So far, nobody's noticed. There's also an SD card with a cabled reader - everybody knows what a flash drive looks like, not so many a reader. They only come out when I'm stumped and nobody's looking. Look, every security yob in the world is so focused on his own local security he rejects any notion that a dozen or so of his fellows elsewhere have joined him in making my life difficult. Consequently I'll subvert the jerk every time I can get away with it. I'm here to work, not make him happy, and keeping my things secure is my responsibility.

  48. blurred1978

    We do actually have a clear desk policy. Peoples stuff regularly gets removed and locked into our central services cupboard to await collection when someone realises something is missing. It falls down a little on fixed desks. For the most part we operate agile working, i.e. no fixed desks. But generally within departmental areas. If people have extra staff in they overflow into *spaces*. There is one or 2 departments that have fixed desks simply because their boss has enough clout to get what he wants. So where as most departments have less desks than people as some are out all the time, these *fixed desks* operate at 1 to 1, and consequently completely ignore the clear desk policy.

  49. RealRaven

    password manager

    I have 1000+ unique passwords. many of them are very hard to type, let alone remember. I only remember my master and SSO password, that will do. Use my own Addon QuickPasswords to get at them, and encrypt that shit. And never use a computer from somebody else. If you can remember all your passwords, you're doing it wrong.

    1. Charles 9

      Re: password manager

      "I only remember my master and SSO password"

      But what if someone manages to steal THAT password?

  50. Paul Garrish

    That reminds me

    That story reminds me of when I went skip diving in Panama last year......

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like