Have we had a PASSWORD thread lately? #*%& I hate them.

[Skip]

Funny story...

Did some work for a company using their development environment. We had a BA enter accounts to run test cases. He set up about a dozen but one was odd because the rest were like TestAccount1, TestAccount2, etc... Turned out to be the name of an actual ex Jenny _______ with the password = hotsex69.

He didn't know that column encryption wasn't enabled on the password field in the user table because it was a dev environment.

For the remainder of my time there, I called him Hotsex. He had a good sense of humor

Another story...

Did some work for a different company with an online presence where I was a customer many years ago. They replicated their production DB into a dev/test environment and failed to anonymize the PII and remove the passwords. There was my name, SSN, address, and password from many years prior.

Last one...

Had a coworker need help with login, called the helpdesk and had them on speakerphone. Rep asked for his password. This was an ancient AS/400 system that limited us to four characters. His password? POOP. Rep says "what?" He responds "PEE OOH OOH PEE." We died.

Moral of the story: Just because the UI doesn't show your password doesn't mean other people can't see it.

Side note: It is incredibly easy to anonymize info and obliterate passwords in data. Whenever I move data, I make it a point to do this. Even financial data for companies is scrubbed. But don't you dare tell a DBA why that's important because they know best even when they don't.

[brutal]

Had a coworker need help with login, called the helpdesk and had them on speakerphone. Rep asked for his password. This was an ancient AS/400 system that limited us to four characters. His password? POOP. Rep says "what?" He responds "PEE OOH OOH PEE." We died.

Probably a lot of "ancient" AS/400 still out there running, but after 26 years, the OS is still alive and kicking. http://www-03.ibm.com/systems/power/...e/i/index.html

Four character pwd would have been set as a system value. Prior to complex password support, up to 8 characters. Used to be an option for no password required at all, but it's been gone from the OS for very many years now. This was prior to Token Ring, Ethernet and TCP/IP, when we had hard wired terminals.

[Gman]

Seems like we're moving back to shared computing. They just call it "the cloud" and your terminal is a browser.

I remember when you wanted a color monitor, you had 2 choices - green or amber.

[gnihcraes]

I'm still fluent in iSeries (as/400) for a government agency today. Very much alive and well.

[ray1970]

I had the same password for my work computer for years. It was one of those that you had to every sixty days or so and I would keep,it the same and just change the last couple of digits. Worked well for about twelve years. Then those IT screwballs changed the rules and my password could no longer contain the word "password" and I was screwed. Lol.

My password used to be "Password01" and I would just change it to 02, 03, etc. every time I had to change it.

Apparently after twelve years that no longer met my company's strict security requirements.

I hope they don't find out that I have all of my logins and passwords written down in a book in my desk drawer. That will really make their heads spin.

I don't know how else they could expect anyone to remember unique logins and passwords for the computer, the time sheet program, my vehicle expense account, my purchase card, the corporate training site, my account access for controls operations, my benefits website, my retirement website, the HR service portal, and about six other things that require me to login with a password.

And that's just for work. I probably have about fifty other things to keep track of for my personal life. Some of those are written down as well. Some aren't.

I say fingerprint scans or retinal scans for everything screw the passwords.

[RblDiver]

(because I'm not going to memorize a 12 random character PW)

You know, a random-character password isn't more secure than a password of words you can remember.
http://www.explainxkcd.com/wiki/inde...sword_Strength

(I will point out that I do very poor practice and basically use the same password all around, or at least as much as they let me. I hate sites that have an upper limit on passwords that I have to remember where it stops!)

[brutal]

I'm still fluent in iSeries (as/400) for a government agency today. Very much alive and well.

Gov or Quasi Gov?

I'm an infrastructure/engineering guy, no coding.

Hiring?

[Zundfolge]

You know, a random-character password isn't more secure than a password of words you can remember.
http://www.explainxkcd.com/wiki/inde...sword_Strength

(I will point out that I do very poor practice and basically use the same password all around, or at least as much as they let me. I hate sites that have an upper limit on passwords that I have to remember where it stops!)

As much as I enjoy the XKCD cartoon (after all I posted it earlier in this thread) it doesn't take into account how actual hackers hack passwords. If they're going to "brute force" hack the password (that is just start throwing guesses en masse at the login) they tend to start out with a "commonly used passwords" list, then move to a dictionary, THEN run random characters.
But more commonly they'll look through your social media and compile a list of words that seem meaningful to you because most people use meaningful words as a password (for example my boss uses his wife's middle name plus their anniversary date for all his passwords).

No password is uncrackable, but actual words are slightly easier to guess. The strategy employed by the XKCD guy is long pass phrases of random words, which will work well against someone running a purely random brute force hack.

[brutal]

I'm still fluent in iSeries (as/400) for a government agency today. Very much alive and well.

Have a client that runs contact stuff for gov and is in the finance industry (PCI).

root password (not really "root") hasn't changed in eleventy years. In all honesty, only those with special access can even get somewhere they could enter those credentials, and everything is encrypted over the wire of course.

[brutal]

As much as I enjoy the XKCD cartoon (after all I posted it earlier in this thread) it doesn't take into account how actual hackers hack passwords. If they're going to "brute force" hack the password (that is just start throwing guesses en masse at the login) they tend to start out with a "commonly used passwords" list, then move to a dictionary, THEN run random characters.
But more commonly they'll look through your social media and compile a list of words that seem meaningful to you because most people use meaningful words as a password (for example my boss uses his wife's middle name plus their anniversary date for all his passwords).

No password is uncrackable, but actual words are slightly easier to guess. The strategy employed by the XKCD guy is long pass phrases of random words, which will work well against someone running a purely random brute force hack.

Most common user accounts are wide open after securing access to another database through exploits.

With most accounts getting locked out quickly after xx bad tries, brute force attacks on Joe blow's email or bank account isn't likely.

However, just one more reason to chose two (or if required 3) factor authentication methods where offered.