Don't change your password......WHAT????

[Blansky]

Now the word is, you don't need to change your password all the time....

Wow, now I'm finally doing it right.

https://www.theguardian.com/commenti...e_iOSApp_Other

[brandrea]

This is fantastic!! I was about to change my password from abcdefg to gfedcba.

[Blansky]

Quote:

Originally Posted by brandrea

This is fantastic!! I was about to change my password from abcdefg to gfedcba.

You should always have a number in there somewhere too!!!!!

Might I suggest 007 because nobody will think of that one.

[enjoythemusic]

[Krash]

I never change my personal passwords. There is no need to do so. Don’t write them down and don’t give them to anyone.

It’s actually sort of silly to do so. If someone has the technical wherewithal to find out what your old password was, they could just as easily find out what your new password is. It also doesn’t help with the most common breaches like email phishing, for example.

With that said, if you ever gave your password to someone or think you were breached, then definitely change it. It’s also important for corporations to enforce password changes, because employees are always sharing them with their co-workers. We had to deal with this constantly. And then we could have some rogue person who quit or got fired, and they still have system access.


Sent from my iPhone using Tapatalk

[Blansky]

I like to keep the same password for everything because if someone goes to all the trouble of hacking me, there's no sense being a jerk about it and having a different one for all the 40 sites I visit.

And just to be on the safe side I change it usually every 10 years or so.

[brandrea]

Quote:

Originally Posted by Blansky

I like to keep the same password for everything because if someone goes to all the trouble of hacking me, there's no sense being a jerk about it and having a different one for all the 40 sites I visit.

And just to be on the safe side I change it usually every 10 years or so.

This is brilliant.

You should start a weekly feature here: “Blansky’s Life Hacks”

[Blansky]

Quote:

Originally Posted by brandrea

This is brilliant.

You should start a weekly feature here: “Blansky’s Life Hacks”

I thought that's what I was doing here.

[brandrea]

Quote:

Originally Posted by Blansky

I thought that's what I was doing here.

Only post the good one’s

[Blansky]

Quote:

Originally Posted by brandrea

Only post the good one’s

Then there wouldn't be any.

[GradyPhilpott]

Quote:

Originally Posted by Blansky

I like to keep the same password for everything because if someone goes to all the trouble of hacking me, there's no sense being a jerk about it and having a different one for all the 40 sites I visit.

And just to be on the safe side I change it usually every 10 years or so.

[KathleenL]

Quote:

Originally Posted by Krash

[snip]

With that said, if you ever gave your password to someone or think you were breached, then definitely change it. It’s also important for corporations to enforce password changes, because employees are always sharing them with their co-workers. We had to deal with this constantly. And then we could have some rogue person who quit or got fired, and they still have system access.

Sent from my iPhone using Tapatalk

If folks who quit or got fired still had system access, your company has a severe problem in your IT department. Before I retired, I was a Domain Administrator for a large state agency. I often knew that an employee was going to be fired in advance of the employee being informed (and escorted out of the building). I would be informed of the date/time and at the designated date/time I would disable the employee's system access. If it were a sudden termination, I would be notified as soon as it happened and would immediately disable the employee's access. As soon as an employee gave notice that they were quitting, I would be notified and I would set the employee's network access to expire at 5:00pm on their last day, and if they left early, I'd be notified and disable their account immediately. And all employees had to change their password every 90 days.

[Krash]

Quote:

Originally Posted by KathleenL

If folks who quit or got fired still had system access, your company has a severe problem in your IT department. Before I retired, I was a Domain Administrator for a large state agency. I often knew that an employee was going to be fired in advance of the employee being informed (and escorted out of the building). I would be informed of the date/time and at the designated date/time I would disable the employee's system access. If it were a sudden termination, I would be notified as soon as it happened and would immediately disable the employee's access. As soon as an employee gave notice that they were quitting, I would be notified and I would set the employee's network access to expire at 5:00pm on their last day, and if they left early, I'd be notified and disable their account immediately. And all employees had to change their password every 90 days.

This is exactly what our process was. The problem we had is when employees shared passwords. For example, person A gives his or her password to person B. Person B quits, or gets fired. We remove his or her access, but they still have person A’s username and password. It’s a risk that needs to be accounted for.

We had very strict guidelines. Under no circumstances should you ever share your password, but unfortunately, it did happen. Ultimately our security systems became more sophisticated, and mitigated against this risk.

But it could still be a problem if someone transfers to a different department, and still has access to systems they shouldn’t have access to.


Sent from my iPhone using Tapatalk

[Blansky]

Sharing passwords is DANGEROUS.

My wife knows my password and can access my browsing history.

That's NEVER a good thing.

[VictorGMT]

Quote:

Originally Posted by Blansky

Now the word is, you don't need to change your password all the time....

Wow, now I'm finally doing it right.

https://www.theguardian.com/commenti...e_iOSApp_Other

"It’s another nail in the coffin for the practice, which is no longer recommended by organisations including the US Federal Trade Commission, Microsoft and the UK’s National Cybersecurity Centre (NCSC) – which has advised against regularly changing passwords since 2015."

THIS.

And they don't mention another problem.

I've had plenty of users who were able to properly set and remember a password. But when forced to change frequently for multiple sites, they had no choice but to write them down. Opening a new vector for compromise.

(Password managers weren't a thing back when I was in these roles).

[INC]

Quote:

Originally Posted by VictorGMT

(Password managers weren't a thing back when I was in these roles).

I do not agree with this in general.

There was always an option to put your passwords in a password protected file. So despite the fact that this method was not called a "password manager", and a text file obviously could not put the password in palace, but this solution has worked since ancient times.

The whole "change the password" misery started because unprepared "users" (in famous terms: idiots) still use passwords like "12345" and "password" to this day.

Of course, I understand that systems have to be prepared for stupid people, but it would be much simpler if they din't let stupid people near them. Not to mention that the work processes should be designed in such a way that no one should have to give their password to someone else to solve an issue. But in a case, when the whole work organization is bad because of the complicated and strict rules, in practice the only way to solve problems in many cases is if someone gives someone else their password.

In my experience, it's more common that when companies can't handle workflow issues, they try to hide them for example with silly password rules. And since they would be in line with the trends of Fortune 500 companies, all smaller companies start slavishly copying these rules instead of thinking about why they are needed? An 8-character number+letter+character password CANNOT be guessed if the system blocks attempts after the third attempt. But this is actually true even for a 4-digit pin code. And then we didn't even mention biometric identification, even though it wasn't invented today in the computer industry either.

[KathleenL]

Quote:

Originally Posted by Krash

This is exactly what our process was. The problem we had is when employees shared passwords. For example, person A gives his or her password to person B. Person B quits, or gets fired. We remove his or her access, but they still have person A’s username and password. It’s a risk that needs to be accounted for.

We had very strict guidelines. Under no circumstances should you ever share your password, but unfortunately, it did happen. Ultimately our security systems became more sophisticated, and mitigated against this risk.

But it could still be a problem if someone transfers to a different department, and still has access to systems they shouldn’t have access to.


Sent from my iPhone using Tapatalk

I don't know if the Agency is still using it, but when I was there, we used a software called Remedy to create "tickets" to keep track of IT work that was done. The managers and supervisors throughout the Agency were very good about submitting work requests for EEs who were transferring, and from those, I would create the appropriate Remedy tickets. The subject line would begin with "DUE [and then the date] so at a glance at the console I could see what tickets were due on which dates. Say, for example, Joe Smith is transferring from one area of the Agency to another. At the end of the business day on Joe's last day in his current area, I would modify his account to remove him from the security groups that gave him access to the various servers/directories/files that he needed for that position, and add him into the security groups that he will need for his new position. And because my work day ended later than 99.9% of the other employees, this was all accomplished after the transferring employee was done for the day in their "old" position.