Explain this to me, PLease


A

Allan Martin

I have a long running disagreement with the outside network administrator at
one of my client sites. This inexperienced young man insists on using a
long complex password for the administrator like fjfj73273kksks92LMN
928BTD4. I told him there was no need for such a complex password and the
nature of the information he thinks he is securing does not warrant it.

I had to go onsite today and discovered that my network friend carried over
this policy to each user's login. Now instead of passwords like fluffy and
bananas each user has a complex password like the one above.


Guess what half the users have written on a posit dangling from their
monitors.


Explain this to me, please.
 
Ad

Advertisements

B

Brian

Allan said:
I have a long running disagreement with the outside network administrator at
one of my client sites. This inexperienced young man insists on using a
long complex password for the administrator like fjfj73273kksks92LMN
928BTD4. I told him there was no need for such a complex password and the
nature of the information he thinks he is securing does not warrant it.

I had to go onsite today and discovered that my network friend carried over
this policy to each user's login. Now instead of passwords like fluffy and
bananas each user has a complex password like the one above.


Guess what half the users have written on a posit dangling from their
monitors.


Explain this to me, please.
Our outside network consultant, who is very good, said that the minimum
length for an administrator password should be at least 17 characters.
This password should include both upper and lower case letters as well
as numbers and symbols. This would require a password hacker program to
work for several weeks to crack the password. Most hackers would give up
in a few days.

Our administrator password is 19 characters.

As to why we do this, I believe it limits our liability. If someone
hacked into our network and stole information for identity theft
purposes, I would want to be able to say that my network was secured to
current standards.

I understand that Microsoft recommends at least 7 character passwords
containing both upper and lower case letters as well as numbers and
symbols for workstation passwords; so, this is our policy for the
workstations.

I know you want to know how can I possibly remember the administrator
password. Well, this is not mine; but, here is one way to remember a 20
character password. I would just have to remember the words to Amazing
Grace.
AghstsTs@wlm10wlbn@f
 
A

Allan Martin

Brian said:
Our outside network consultant, who is very good, said that the minimum
length for an administrator password should be at least 17 characters.
This password should include both upper and lower case letters as well as
numbers and symbols. This would require a password hacker program to work
for several weeks to crack the password. Most hackers would give up in a
few days.

Our administrator password is 19 characters.

As to why we do this, I believe it limits our liability. If someone hacked
into our network and stole information for identity theft purposes, I
would want to be able to say that my network was secured to current
standards.

I understand that Microsoft recommends at least 7 character passwords
containing both upper and lower case letters as well as numbers and
symbols for workstation passwords; so, this is our policy for the
workstations.

I know you want to know how can I possibly remember the administrator
password. Well, this is not mine; but, here is one way to remember a 20
character password. I would just have to remember the words to Amazing

The end users now have huge mumbo jumbo passwords. They can't remember them
so they wrote them out on posits and have they pasted on their monitors.
Security is non-existent.
 
G

Greg

I have a long running disagreement with the outside network administrator at
one of my client sites. This inexperienced young man insists on using a
long complex password for the administrator like fjfj73273kksks92LMN
928BTD4. I told him there was no need for such a complex password and the
nature of the information he thinks he is securing does not warrant it.

I had to go onsite today and discovered that my network friend carried over
this policy to each user's login. Now instead of passwords like fluffy and
bananas each user has a complex password like the one above.


Guess what half the users have written on a posit dangling from their
monitors.


Explain this to me, please.
Have you mentioned that you live in the real world at all..

Greg
 
A

Allan Martin

Greg said:
Have you mentioned that you live in the real world at all..
The real world is like Cheers, everyone knows your password.
 
B

Brian

Allan said:
The real world is like Cheers, everyone knows your password.
Not in our office. Even the administrator does not know any user
passwords. This is another security feature that is designed to know who
does what on the workstation. The administrator used to know all the
passwords; but, our outside consultant recommended that only the user
know their password. Apparently, this was based on several court cases
where the employer was unable to prove wrongdoing by a user because the
administrator also knew their password.

It is unfortunate that it has come to this. Nothing like the old days
when we did not ever have to lock our doors.
 
A

Allan Martin

Brian said:
Not in our office. Even the administrator does not know any user
passwords. This is another security feature that is designed to know who
does what on the workstation. The administrator used to know all the
passwords; but, our outside consultant recommended that only the user know
their password. Apparently, this was based on several court cases where
the employer was unable to prove wrongdoing by a user because the
administrator also knew their password.

It is unfortunate that it has come to this. Nothing like the old days when
we did not ever have to lock our doors.

I'm not old enough to remember those good old days. My original post implied
that very long and complex user passwords have a habit of getting written
down on slips of paper where all can view.
 
H

HeyBub

Allan said:
I'm not old enough to remember those good old days. My original post
implied that very long and complex user passwords have a habit of
getting written down on slips of paper where all can view.
But someone OUTSIDE the office can't view them.
 
S

scfundogs

Brian said:
Not in our office. Even the administrator does not know any user
passwords. This is another security feature that is designed to know who
does what on the workstation. The administrator used to know all the
passwords; but, our outside consultant recommended that only the user know
their password. Apparently, this was based on several court cases where
the employer was unable to prove wrongdoing by a user because the
administrator also knew their password.

It is unfortunate that it has come to this. Nothing like the old days when
we did not ever have to lock our doors.
Someone else besides the user had better be able to gain access to a user's
account should that user quit. The chances of having an employee quit and
leave alot of critical information inaccessible is much higher than needing
to bring legal action against an employee for something they did on their
user account, at least IMO.
 
A

Allan Martin

HeyBub said:
But someone OUTSIDE the office can't view them.
The bad guys get jobs with a janitorial service and jot down the passwords
pasted to the monitors during the night.

My point is there are many instances where a password such as OUTSIDE123 is
better than YTfr65479HYiure45325JK788665HYTRFEDD321
 
A

Allan Martin

scfundogs said:
Someone else besides the user had better be able to gain access to a
user's account should that user quit. The chances of having an employee
quit and leave alot of critical information inaccessible is much higher
than needing to bring legal action against an employee for something they
did on their user account, at least IMO.
The administrator can always change the password even though they do not
have access to the old one. Forget about quiting, as a consultant I often
need access to all workstations and sometimes users are out of the office.
Someone up the corporate food chain needs to have a list of passwords.
 
B

Brian

Allan said:
The administrator can always change the password even though they do not
have access to the old one. Forget about quiting, as a consultant I often
need access to all workstations and sometimes users are out of the office.
Someone up the corporate food chain needs to have a list of passwords.
Since you agree that the administrator can always change the password,
why does someone else need the password? For the reasons that I stated
before, it is best if only the user knows their password.
 
A

Allan Martin

Brian said:
Since you agree that the administrator can always change the password, why
does someone else need the password? For the reasons that I stated before,
it is best if only the user knows their password.

The owner of the business may not be the administrator. The administrator
can be an outside consultant who is pissed because they have not gotten paid
for several months.
 
B

Brian

Allan said:
The owner of the business may not be the administrator. The administrator
can be an outside consultant who is pissed because they have not gotten paid
for several months.
Of course, the owner of the business should have the administrator
password. Should the outside consultant change it without the owner's
knowlege, let the lawsuits begin. :)
 
S

scfundogs

Brian said:
Of course, the owner of the business should have the administrator
password. Should the outside consultant change it without the owner's
knowlege, let the lawsuits begin. :)
The lawsuit (nor criminal arrest) won't get your the password. You could
always hire a hacker in the event you find that your entire company is
locked out of its computers but that cost, coupled with company downtime,
possible loss of revenue and/or clients and applicable legal costs would be
enough to cripple some companies.
 
A

Allan Martin

scfundogs said:
The lawsuit (nor criminal arrest) won't get your the password. You could
always hire a hacker in the event you find that your entire company is
locked out of its computers but that cost, coupled with company downtime,
possible loss of revenue and/or clients and applicable legal costs would
be enough to cripple some companies.

Assuming physical access to the server is available, with the use of the
proper software regaining control should be quick and painless..
 
B

Barnabas Collins

I have a long running disagreement with the outside network administrator at
one of my client sites. This inexperienced young man insists on using a
long complex password for the administrator like fjfj73273kksks92LMN
928BTD4. I told him there was no need for such a complex password and the
nature of the information he thinks he is securing does not warrant it.

I had to go onsite today and discovered that my network friend carried over
this policy to each user's login. Now instead of passwords like fluffy and
bananas each user has a complex password like the one above.


Guess what half the users have written on a posit dangling from their
monitors.


Explain this to me, please.
It's a good idea to have a password that is hard to guess.
A combination of letters and numbers. But the worst thing
you can do is post the password on sticky note on the monitor.

So if everyone in the office knows you're cats name is Fluffy
it ain't a good idea to have Fluffy as your password.

I would point out even with a long password, with a keylogger that
password can be broken.
 
B

Barnabas Collins

This password should include both upper and lower case letters as well
as numbers and symbols.
I'd stick with A-Z, a-z, 1-9. Some systems won't accept
special symbols and the ASCII for those special symbols
may vary from location to location.
This would require a password hacker program to
work for several weeks to crack the password. Most hackers would give up
in a few days.
A keylogger program give them the password quickly.

When it comes to security, dump the passwords and consider
using a fingerprint to gain access to the computer.

Who knows, ten years from now the password will be history.
Access will be through fingerprint, an iris scan, or some
other form that hasn't even been invented yet.
 
Ad

Advertisements

B

Barnabas Collins

The bad guys get jobs with a janitorial service and jot down the passwords
pasted to the monitors during the night.

My point is there are many instances where a password such as OUTSIDE123 is
better than YTfr65479HYiure45325JK788665HYTRFEDD321
If you're a bad guy both passwords are just as useless whether you're
in the building as a janitor, in there as a manager, or a thousand
miles away using a key logger.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Please explain bank runs to me 1
Please explain Validation errors 5
USA Could someone please explain? 3
PLEASE HELP ME 2
Please help me. 0
Please help me 0
Please help me 2
help me please 1

Top