Extranet password expired (again)

The password expires far too frequently for the level of risk – its just an extranet giving access to minimal data, none of which is earth shattering. And I very rarely use it.

I’d have thought a permanent password would have been adequate. I have never understood the value of passwords that expire in 60 or 90 days, its just a ball ache for occasional users and for the admins who have to reset everything every couple of months. I’m not convinced its mitigating any real world worthwhile risks in this case. (correct me if I’m wrong?, I suppose it does save them from having to manually delete users – maybe 6 monthly then?)

The warning emails start weeks before its due to expire. Obviously at that point the message gets marked as non-urgent in my mind. I then continue to ignore all subsequent warnings right up until my account gets frozen.

The messages should probably come from different sources and have different titles to differentiate the informational ‘it will soon be time to change your password’ from the ‘urgent action required – you are about to get locked out’.

The subject line ‘Password expiration warning’ repeated in daily emails I find incredibly easy to ignore.

Anyone with me on this or do you all just think I’m a slacker for not sorting it out?

I managed to get it renewed several days before I was permanently removed for ever. Its not that simple, it requires me to use a different operating systems and a different browser to my usual ones (ie a different physical machine).

Anyone else suffering for over zealous security? (eg trying to take 2 bags on a plane in the UK (in certain airports – in some its still 1 item of hand baggage))

I won’t even talk about the cumbersome password rules, needles to say I’ve written it out on a piece of paper in my top right hand desk draw like everyone else.

cheers

Simon

Advertisements

7 Responses to “Extranet password expired (again)”

  1. Rob Bruce Says:

    I’ve just completed my self-assessment forms.
    I reckon I probably underclaimed expenses and pension contributions very slightly, but the government’s only going to waste the extra couple of quid on schools or hospitals or IT consultants or something, so I don’t mind.
    Anyway, the process only took me about an hour, which was OK.
    Finding the password to get me into open.government, however, took me two hours of archaeological digging in my filing ‘system’. Doh.

  2. Harlan Grove Says:

    The organization hosting the extranet probably is required by some governmental body to enforce periodic password changes. Unless you believe you can convince government bureaucrats to favor practicality over written rules, you’ll need to adapt.

    As for password rules, there are many longish phrases I’ve memorized over the years that would be difficult to crack simply because of their length and obscurity. Especially non-English passages with a few words in English, making dictionary attacks much harder. And munging Greek with ASCII chars would be even nastier to crack (e.g., Xp16to6 ave6t1).

    But, No! Because the password minder used at work also needs to manage mainframe account passwords, passwords must be 7 or 8 chars long – PERIOD – and those 7 or 8 chars must contain at least one upper case, one lower case and one decimal numeral char, be made up of only such chars (because the mainframe chokes on anything else), not contain any adjacent repeated chars, and not contain any substrings found in the password minder’s mercifully short dictionary. Fortunately there are many easily munged 4-letter words that come to mind when I have to change my password.

  3. Martin Rushton Says:

    Here where I work I need a password for

    The Workstation (PC)
    The Network
    Emial (Outlook)
    The Finance System
    The HR System

    There are a few other central systems that I may potentially need access to, but at the moment don’t, including a room booking system, an inventory (asset register) and being a Uni a student record system.

    There are also a few other things I need to login to including an Intranet portal and a system for adding users to network groups with specific permissions which use the Network userID/password but still need entering again even when logged on/validated to the network.

    Fortunately the workstation and network password can be synchronised into a single log on. Unfortunately with the exception of Outlook all the other passwords force a change every 60 days to a password that hasn’t been used in the last 12 months. This means each system requires at least 7 different passwords within a year. This is as a result of our Audit Committee deciding that this is much more secure than occasional/non existent changes. Even the Sys Admin guy responsible for controlling the policy has argued until he is blue in the face that it isn’t more secure as, with so many passwords to remember, and a lock out after 3 failed attempts, most users resort to Simon’s method of writing it down (in breech of the usage policy) or, as in my case, have root passwords which are changed very slightly every 60 days. However as I still have to remember the very small change it wouldn’t take Einstein to work out the pattern I use for that change.

    Despite insisting the policy is more secure the same audit committee will not entertain the concept of electronic signature therefore an email can not be considered as authorisation and much of the work in the Finance and HR systems still require additional paperwork with a handwriten signature.

    Rumour is that they are softening on the electronic signature but as rumours of a single log-on to all systems the user has access to are likely to soon turn to reality I’m not holding my breath. At least the latter will finally be a step in the right direction (it was first talked about over 5 years ago)

  4. Marcus Says:

    At one place I’ve worked we were required to change our PC password every month. You also couldn’t use the prior 13 passwords which had to have mixed case (at least one capital) and at least one numeric.

    It took a week (usually two) before I stopped entering the prior password and simply entered the current one without having to think about it.

  5. Biggus Dickus Says:

    My favourite password story is from Dilbert (of course), where the PTHB announced a new password policy where, “starting today, all passwords must contain letters, numbers, doodles, sign language and squirrel noises.” Love it !! Too bad I couldn’t find the actual cartoon.

    It’s all overkill to me. I am a believer in “good-enough” security where the security processes don’t prevent the business from being done. The “Data Nazis” are still looking for ways to get CONTROL !!!

    Dick

  6. Marcus Says:

    Biggus – I’m pretty sure there’s another Dilbert where support suggests PTHB changes his password to all asterisks. While doing this the PTHB ‘hopes’ he can remember.

    Almost as good as believing deleting files will make his laptop lighter.

    Cheers – Marcus

  7. Jon Peltier Says:

    I think the asterisk one started with the PHB being told he needs eight characters, with mixed numbers and letters. He says “ABCDE”, No, he’s reminded, eight characters, mixed numbers and letters. He says “12345”. Then he’s told to try all asterisks, which he’s afraid he’ll forget.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: