Cycling Passwords

Sat Aug 23 01:32:25 UTC 2008

On 22 Aug 2008 at 10:55, Karl Pearson wrote:

> I'm curious on your take on systems that require changing passwords on a 
> set schedule, whether it's 90 days or whatever.
> 
> When I've setup new systems, I instruct the users to select passwords that 
> are cryptic and follow guidelines that make them essentially impossible to 
> crack, such as: Ol10yzZx119xa
> 
> Once a good password is found, why change it? I know there are a lot of 
> consultants who say you must, but everywhere I've been that requires 
> people to change passwords, I see they have written them on sticky notes 
> and then put them on their monitor, or bookshelf or whereever. I also see 
> the frustration level raise everytime they are trying to get into a system 
> with a customer on the phone, and they have to tell them to wait for their 
> session as they change their password...
> 
> Since roughly 90% of corporate break-ins are from the inside, having to 
> change the passwords, and then sticking the passwords up, defeats the 
> security purposes for changing passwords.
> 
> What do you think?
> 
> Okay, I do have a reason for asking this: 1. convince me I'm wrong, and 2. 
> I have a client that wants it to stop, and I need to know where in Fedora 
> Core 6 that is setup so case I can make the change for them.
> 
> Their FC6 system is setup so the accounts go to /sbin/nologin so they 
> don't have to change their password for email. But no one has shell 
> access, and a few need it, thus creating the need for passwords to change.
> 
> TIA

After retiring from the Army, I could not believe the password situation at the school where I 
started working as a computer applications teacher. I found that many of the teachers were using 
their spouses and kids names as passwords.  Or just as bad,coaches who rotated their 
passwords between baseball, football, and basketball. Needless to say on more than one 
occasion we caught a student logged in on a teacher's computer.

When I convinced the technology coordinator to have them start to use strong passwords, we 
discovered that most started writing them on sticky notes and attaching them to the bottom of 
their keyboard, and more than one, right on the side of the monitor. Their excuse was always that 
they were afraid they would forget that complicated password, especially over a long holiday 
break or summer vacation. And, we of course caught students stealing the teachers passwords 
and using them, again.

We finally started giving classes on how to make very complicated passwords that are actually 
very easy to remember.  For instance, take a significant name that only you know and will never 
forget and a significant year associated with that name. Spell the name backwards, mix in the 
year as every other letter, and add some punctuation to finish it out. For example my son's first 
pet dog was named Boomer and we got him in 1989.  Absolutely no one where I work knows 
about the dog. That info could easily be turned into this password: r1e9m8o9o!B This makes for a 
nice complicated password that can easily be remembered without writing it down.  After just a 
few slow logins most teachers quickly remember the sequence and can bang it out in just a 
couple of seconds.

Of course we do have to remind them periodically and check to make sure they are following the 
new guidelines as well as teach any new teachers that are hired.

Daniel A. Rachels, Sr.
drachels at adelphia.net