New
#30
Keepass is a safe password manger.
The only way I would use a website check is to use a generic password template that is similar to the one I wish to check, (even shifting each charater up or down by one character), basically the same number of characters and mix of character types as the actual password to check.
I have used Keepass at times but even then make sure that the password database at a minimum is stored on a USB key or preferably use the portable version of keepass from a USB stick
Working in tech support, we do support for a couple of companies. One thing I loathe is the 45/90 day password reset cycle. Every time it happens, a bunch of users e-mail and call in moaning and whining and complaining about having to change their passwords. The number one common question I get "Can't I just use the same password I had before?" Especially when supporting overseas (I'm in the US) users, it only gets worse. Luckily in most cases, we can set the same password they had before.
Is it a security risk? Of course it is. But if we don't, I know that all they're going to do is write it down on a post-it note and put it right on their monitor thereby negating the point of forcing them to change their password. As much as I want to be security conscious, I've been working tech support long enough that I've really stopped caring. It's like the company I used to work for who before laying us off, about a month before, they came up with a completely inane policy of requiring at least a 12 character password with an uppercase, lowercase, number, and special character in it. I remember walking around that day finding about at least 10 people who had post-it notes with their password written on their monitors. I just looked around and thought "hmm...somehow I saw that coming."
The way I've seen it go down is that the more security is put in, the more users will rebel. And the more users rebel, the harder it will become to lock them down because they'll always find a way around the new security measures. And I find it especially laughable how often management types (IT Director/CIO, Department Managers, VPs) don't have a clue of reality versus their numbers painted ivory tower view.
(A bit of an opinionated rant, I know but I just wanted to throw it out there)
Well, one way I've seen it worked around where I've consulted (and I've suggested it to others with success) is to allow users to write their passwords down on a post-it, but they *must* keep it in their wallet, purse, whatever, as long as it's not under the keyboard or attached to the monitor . That way, if they lose it, they call and reset the password. It's not ideal, but it was the only real concession to make to get some of the C-level execs to stop doing it (they're the worst, and the first to breathe down your neck if it all goes horribly wrong if someone's password was stolen too.... aaah, the irony), and it has the unintentional but wonderful side-effect of people actually remembering their passwords - they actually have to think about it, they see it on the paper, and then enter it - we find that in general, within about 3-5 days, everyone can remember their current password). Passwords are 8 chars, but with one special character, an upper and lower case letter, and a number. It's not the most complex, but it is still secure enough to create decent passwords. Password changes are every 45 days, and I suggest they set to remember 8 passwords (basically a year's worth).
Honestly, password security isn't the real problem anyway with this sort of risk (that part is easy to get users to agree to, almost always), it's the fact that we allow users to go more than 30 days without changing that password again (or some short arbitrary number, depending on how vulnerable you would expect to be given the type of data you'd store and the type of industry you're in). Who cares if a hacker got the AD SAM and hacked it in a few weeks? If you're doing it right, the password's already changed, and your auditing will catch the attack right away.
True, C-Level execs are the worst at this. They think they're above the policy they created somehow. "Do as I say not as I do". Yeah, the password reset cycle has its purpose though I notice people will change their password to something that is so close to their previous password that only one thing changes that again negates the point but does help to a degree. I know some places have a requirement in particular that I've seen where you have to change the password to something that's at least a few characters different each time and you can't reset to the same password each time. Not exactly popular but depending on the industry, could be very important.
I'm just saying I don't think password complexity is everything though it can mitigate brute force attacks. I think two-factor authentication is a better path; for example a smart card plus a password or better yet, smart card plus a fingerprint. I think it could certainly help but then again, there is the whole "no two fingerprints are identical" idea. I've read that it's not so much that it's not possible rather that it just hasn't been found to occur so that could be a potential issue but I do believe two-factor authentication can help if practiced properly.
The problem is, users will do that no matter what. what needs to be done is action taken. We find it posted like that, your fired.I remember walking around that day finding about at least 10 people who had post-it notes with their password written on their monitors.
The major problem with the "you're fired" route is that the worst offenders are often to far up the greasy pole to be touched even by the IT department.
You just have to be more subtle with them - physically removing the post-it when they're off for the day is one good one
Yes, this is absolutely correct. Authentication should be multi-factor, specifically, what you know (username\password), plus what you have (smartcard or fingerprint). It is infinitely harder to attack something when you have to be physically present to do so - yes, I know social engineering can happen, but other than user education there's not much you can do to avoid that. You plan for the worst, and audit your network.
And the fact I never thought of that means I'm committing this one to memory right now .
When it comes to long complicated passwords in the corporate environment, one has to ask, which is more secure: a relatively weak password stored only in the user's brain, or a relatively strong password stored on a sticky note in plain view of everyone that passes by? I'm inclined to vote for the former.