SIGforum.com    Main Page  Hop To Forum Categories  What's Your Deal!    Your Password Has Expired
Page 1 2 
Go
New
Find
Notify
Tools
Reply
  
Your Password Has Expired Login/Join 
Ugly Bag of
Mostly Water
Picture of ridgerat
posted
At work we use a smartphone app as our timeclock. It is also used for scheduling PTO, etc.

This morning I had to open the app to 'approve' my timecard, so I can get paid.

Your Password Has Expired.

Nobody accesses my timecard but me! Why does it need to change?

First....I use face-recognition on my phone to...well, access the app. Then the app itself uses face-recognition just to open. Then I must finger-type in my software-assigned gibberish Username and my password, to access my timecard.

So, with all that security, why must I change my password?

Of course, I must choose a new password that is 12 or more characters, using at least TWO capital letters, TWO numbers and one special character. Oh yeah, and it can't be any of my previous 4 passwords! WTF? Who comes up with this stuff?

I think there must be millions of face-changing aliens out there, infiltrating payroll apps and messing with peoples'work hours.

And don't even get me started on all the crazy unintuitive steps there are just to schedule PTO.



Endowment Life Member, NRA • Member, Gun Owners of America & Member, Arizona Citizens Defense League
 
Posts: 2828 | Location: Tucson, AZ | Registered: March 25, 2012Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by ridgerat:
At work we use a smartphone app as our timeclock. It is also used for scheduling PTO, etc.

This morning I had to open the app to 'approve' my timecard, so I can get paid.

Your Password Has Expired.

Nobody accesses my timecard but me! Why does it need to change?

Because stupid people who should not be setting I.T. policy being allowed to set misguided I.T. policy.

At some point somebody got it into their heads that forcing end-users to regularly change passwords led to increased security. I've no idea where that came from or what was their reasoning, but multiple studies have been done to show that, not only does it not increase security, but it often degrades it.

The stupidest ones are the ones where you access the account only rarely. So rarely that every time you log in your old password has expired. At one business-related account I had at work I got so tired of creating new passwords and updating my keyring every time I logged in that I ended up with a list of ten passwords through which I rotated. Every time they expired a password I'd put that one at the bottom of the list and substitute the one at the top.

My wireless carrier implemented that nonsense. I called customer support and bitched about the stupidity of it. Nothing they could do about it. "Fine," I replied, "then you can go back to the trouble and expense of sending up paper billing statements, again, and kill our on-line account access, because we won't be using it anymore. I won't put up with that stupidity."

A year or two later I re-activated our on-line access and found they'd done away with the forced password change Wink



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26009 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Member
Picture of Pyker
posted Hide Post
They had this asshattery at work. They made us change every 60 days and banned the use of the last two or three passwords. I just used the same password and added the month that I changed it on the end.
 
Posts: 2763 | Location: Lake Country, Minnesota | Registered: September 06, 2019Reply With QuoteReport This Post
Ugly Bag of
Mostly Water
Picture of ridgerat
posted Hide Post
We also use Microsoft Outlook for email. And, we have to change our password for that every three months as well.

But in this case, I just let it expire, then call the help desk. They reset it to the my default password, which I continue to use for my 'permanent' password.



Endowment Life Member, NRA • Member, Gun Owners of America & Member, Arizona Citizens Defense League
 
Posts: 2828 | Location: Tucson, AZ | Registered: March 25, 2012Reply With QuoteReport This Post
Eschew Obfuscation
posted Hide Post
quote:
Originally posted by Pyker:
They had this asshattery at work. They made us change every 60 days and banned the use of the last two or three passwords. I just used the same password and added the month that I changed it on the end.

Yep. I did something similar. I added "01" to the end of my password. When I was required to update to a new password, I simply switched it to the same password and added "02" on the end. IIRC, we were required to redo our passwords quite often, maybe as often as every 30 days. I might not have been that short a duration, but it sure seemed like it at the time.


_____________________________________________________________________
“Civilization is not inherited; it has to be learned and earned by each generation anew; if the transmission should be interrupted for one century, civilization would die, and we should be savages again." - Will Durant
 
Posts: 6373 | Location: Chicago, IL | Registered: December 17, 2007Reply With QuoteReport This Post
My other Sig
is a Steyr.
Picture of .38supersig
posted Hide Post
Same here.

When we had 'real' passwords at work that didn't expire, mine were usually in Latin or Japanese.

Now my most recently expired password was 'P0PSICLE'.

Yup, that one has the security that Fort Knox would envy. Big Grin




 
Posts: 9112 | Location: Somewhere looking for ammo that nobody has at a place I haven't been to for a pistol I couldn't live without... | Registered: December 02, 2014Reply With QuoteReport This Post
Member
posted Hide Post
At work we have to change every 3 months or so. We have a common password that works across multiple systems, but due to legacy systems including mainframes, I am limited to:

- 8 characters
- At least one lower case letter
- At least one upper case letter
- At least on number
- At least one symbol, but only like 3 or 5 choices
- No repeating characters
- Can't use the last few passwords

So I have a 5 letter base with a capital letter, a symbol, and a number I index during each change.

I also have a company issued iPhone that has a configuration and security management app on it to use company email and calendars with the Apple apps. I have optionally installed the Outlook app because it works more seamlessly for email and calendars (doesn't screw up email formatting like the Apple mail app). At first I was required to re-login every WEEK, with two-factor login!

Mind you like another poster, this is on a company issued phone, with mandatory passcode that automatically locks the phone after the minimum time period, and deletes everything after 10 failed attempts. The Outlook login is the same password explained above that has to change every 3 months. So on top of all that is re-logging in every week. Recently they changed it so it's maybe every month now, and you just have to do the two-factor second step of entering the code that is texted.

But seriously, forcing people to constantly change passwords ENCOURAGES them to use something easy to remember (and thus easy to hack). The amount of non-value added time and expense caused by forgotten passwords and calling tech support for a reset is probably significant. And I have seen no actual data supporting hacking accounts by guessing the password. Phishing is the most common way to get access, or malware caused by clicking links or opening attachments in emails.

And from now on any email that is unsolicited or from a mailing list gets reported as potential phishing and blocked. Let IT sort out it out. I am going to tell all suppliers I work with that any automated emails not from a specific individual that I know will result in phishing reports and blocks - so take me off any mailing lists.

On the other hand, my Apple ID password has no limits on length, and they never ask me to change it. I use a multiword phrase with a symbol in it. It's easy to remember but impossible to hack.
 
Posts: 4690 | Location: Indiana | Registered: December 28, 2004Reply With QuoteReport This Post
quarter MOA visionary
Picture of smschulz
posted Hide Post
quote:
At some point somebody got it into their heads that forcing end-users to regularly change passwords led to increased security. I've no idea where that came from or what was their reasoning, but multiple studies have been done to show that, not only does it not increase security, but it often degrades it.


I wouldn't say it is degraded by simply changing it.
What makes it a security improvement is that those who previously knew the PW and shouldn't have to guess again.
Where I see the breakdown is lack of complexity as well as simply modifying the existing one such as adding another "8" to the end or taping the PW to your monitor.
Of course without a way to reasonably reset it without IT intervention is nice too.
If it annoys the user > so what ... as long as it isn't one of the bosses. Smile
 
Posts: 22858 | Location: Houston, TX | Registered: June 11, 2006Reply With QuoteReport This Post
I Deal In Lead
Picture of Flash-LB
posted Hide Post
Mrs. Flash went through this on a regular basis where she worked for the County. The IT Director was a real winner who didn't much know which way was up. (I did a meeting with him once regarding upgrading something for the County and found his ignorance appalling).

Anyway, I found that when I went into Public sector places to do work, all I usually had to do was lift up the keyboard and I'd find the yellow sticky note on the bottom with the current password.

It's absurd.
 
Posts: 10626 | Location: Gilbert Arizona | Registered: March 21, 2013Reply With QuoteReport This Post
Purveyor of
Fine Avatars
Picture of Orguss
posted Hide Post
I've been using a service that requires a new password every 90 days; however, I found out that if you ignore the warnings and continue using your password, it immediately stops prompting for a new password upon the 90th day. So I've been using the same password for the past eight months.



"I'm yet another resource-consuming kid in an overpopulated planet raised to an alarming extent by Hollywood and Madison Avenue, poised with my cynical and alienated peers to take over the world when you're old and weak!" - Calvin, "Calvin & Hobbes"
 
Posts: 18018 | Location: Sonoma County, CA | Registered: April 09, 2004Reply With QuoteReport This Post
Member
Picture of spdski
posted Hide Post
quote:
Originally posted by CoolRich59:
quote:
Originally posted by Pyker:
They had this asshattery at work. They made us change every 60 days and banned the use of the last two or three passwords. I just used the same password and added the month that I changed it on the end.

Yep. I did something similar. I added "01" to the end of my password. When I was required to update to a new password, I simply switched it to the same password and added "02" on the end. IIRC, we were required to redo our passwords quite often, maybe as often as every 30 days. I might not have been that short a duration, but it sure seemed like it at the time.


They changed the rules on our timekeeping software to even get rid of that. The system says the password is too similar to the previous password. Argh!!

So, now I have to alternate password systems. Even dumber because you definitely can’t avoid writing those down.
 
Posts: 1273 | Location: Waxahachie, TX | Registered: October 04, 2009Reply With QuoteReport This Post
His diet consists of black
coffee, and sarcasm.
Picture of egregore
posted Hide Post
 
Posts: 27834 | Location: Johnson City/Elizabethton, TN | Registered: April 28, 2012Reply With QuoteReport This Post
אַרְיֵה
Picture of V-Tail
posted Hide Post
Choose a new password :

potato

Sorry, password must contain at least 8 letters.

boiled potato

Sorry, password must contain at least one number.

1 boiled potato

Sorry, password cannot contain spaces

50fuckingboiledpotatoes

Sorry, password must contain capital letters.

50FUCKINGboiledpotatoes

Sorry, capital letters must not be consecutive.

IwillShove50FuckingBoiledPotatoesUpYourAss,IfYouDoNotGiveMeAccessImmediately

Sorry, password must not contain punctuation.

NowIamSeriouslyGettingPissedOffIwillShove50FuckingBoiledPotatoesUpYourAssIfYouDoNotGiveMeAccessImmediately

Sorry, you can't change your password to a password that has already been used with this account. Choose a new password :



הרחפת שלי מלאה בצלופחים
 
Posts: 30545 | Location: Central Florida, Orlando area | Registered: January 03, 2010Reply With QuoteReport This Post
Three Generations
of Service
Picture of PHPaul
posted Hide Post
When forced to deal with this bullshit, I try to come up with a thinly disguised insult to the entity requiring me to change my password like:

G00g1@suxDonk3yDix




Be careful when following the masses. Sometimes the M is silent.
 
Posts: 15181 | Location: Downeast Maine | Registered: March 10, 2010Reply With QuoteReport This Post
Member
posted Hide Post
Shit, it's not bad enough that my company's employee site makes you change your password every quarter, you can NEVER reuse a password. Ever.



Mongo only pawn in game of life...
 
Posts: 683 | Location: DFW | Registered: August 15, 2014Reply With QuoteReport This Post
Protect Your Nuts
posted Hide Post
quote:
Originally posted by ridgerat:

So, with all that security, why must I change my password?



In short, because a password entered by a human is now basically akin to buying shitty lock for a door. It’s fine until no one decides to fiddle with it and then it fails easily. I’ve been in IT for 25 years, mostly infrastructure/security for financial institutions. I do agree with everyone though; password policies and change rates are stupid, but there unfortunately is a reason for the stupidity. Unfortunately, instead of realizing that username/password combinations are crap, IT as a whole basically just continued to double-down. Well.... what if we put TWO shitty locks on the door? And then THREE, and so on. Until the username\password is replaced with something else the lunacy will continue.

Examples\why passwords enter by humans are crap:

Usernames are incredibly easy to determine- most of the time it’s your email address or first initial + last name (or variants of your name). Spend some time on Linkedin, get some email addresses, run a couple tests and you can pretty much figure out the username scheme for the entire company.

Passwords are harder to figure out, but early on programs were created to repeatedly try username and password combinations until they got a successful login, this is called a brute force dictionary attack. Simple solution- this is why after 3-6 attempts your account gets locked out. Pretty much stopped those attacks.

Except- Humans suck at remembering stuff, particularly stuff we don’t use often. So, lockouts galore by users who couldn’t remember their password.

So- Enter the Forgot Password feature. Usually you provide a couple pieces of personal info and/or your email address and you get a temp password. Yeah. No more calls to support.

Except- Attackers got really good at tricking people at disclosing their username and password. Through viruses, email phishing (click a link, think you’re logging into a real system except it’s a fake site just designed to steal your credentials), and general scams attackers have had decades of experience tricking people into disclosing their username and passwords.

So- if we know that humans are easily fooled into disclosing their credentials, we should make them periodically change their password, right? 30-45 days became the default.

Also- as part of those attacks, bad guys learned it was much easier to use those stolen credentials to break into companies and go after the databases which held usernames\passwords for various systems. Steal the right set of credentials and use that to steal millions of credentials. A lot of times those credentials were stored with weak encryption, and short passwords were much easier for attackers to decrypt. Also hey- look at all the personal data we got! We can use this for those nifty forgot password functions!

So- along comes the longer and more complex password. Kinda future proof the whole encryption thing was the thought.

Except- Humans suck at remembering stuff. So we use the same damn password across multiple systems, or slight variations. Now attackers don’t have to try and break into a bank to get username\passwords to your bank account, now they can just break into that shitty online merchant that you had to create a username\password for so you could buy your little collectible snow globe or whatever.

So- Attackers now buy and sell massive lists of compromised usernames\passwords. You can buy stuff exposed in old data breaches on the cheap. Now from your roach infested apartment in Eastern Europe you can lease a bot-net of infected PCs world wide to launch credential stuffing attacks on anyone. A credential stuffing attack basically attempts usernames and passwords over and over again. Usually only one or two password combos per username, and they slow the attacks enough to either fly under the radar or just be annoying enough to be seen but not worth fighting. Most of your attempts will fail, but who cares, a program is doing it and the only point is to validate if a login will work. Once it finishes running through the 10 million combos you tried you’ll have a list of which ones are good and which ones are bad. Now you can take that list of “good” combinations and sell that list for a pretty good profit.

So- Multi-factor authentication. Your super complex password filled with special characters and unicorn farts that you have to change every month keeps getting compromised, so now we’ll text or email you a code you have to enter in order to access the site.

And it continues to go on from there. TouchID/FaceID, etc? They just make it easy for the device to submit the username\password for you. Other than if you lose your device, they don’t do much for you outside of a convenience standpoint.

So, why do you have to change your password?

Because humans.

This message has been edited. Last edited by: Whisp,


------------------------------------------------------------------------------------
"deserves" ain't got nothin to do with it.
------------------------------------------------------------------------------------
 
Posts: 2695 | Location: VA, mostly | Registered: June 14, 2006Reply With QuoteReport This Post
Flow first,
power later.
posted Hide Post
 
Posts: 672 | Location: Tampa | Registered: September 23, 2010Reply With QuoteReport This Post
The Unmanned Writer
Picture of LS1 GTO
posted Hide Post
Had a girl at the last place I worked get frustrated with always changing the password.

One day she changed it to “AnotherFuckingPassword123!@#”

She was told to change it three days later. She changed it to “ErnieIsAFunkingMoron123!@#” (Ernie was our director and was a moron)

She got called into HR for computer password abuse.

Lots of people have been quitting Wink







Life moves pretty fast. If you don't stop and look around once in a while, you could miss it.



Only in an insane world are the sane considered insane.


The memories of a man in his old age
Are the deeds of a man in his prime


 
Posts: 14020 | Location: It was Lat: 33.xxxx Lon: 44.xxxx now it's CA :( | Registered: March 22, 2008Reply With QuoteReport This Post
אַרְיֵה
Picture of V-Tail
posted Hide Post
quote:
She got called into HR for computer password abuse.
How did HR know her password? The whole point is, passwords should be known only to the user.

I do know that in UNIX type systems, the password is not stored in a readable form. I don't know about Windows passwords.



הרחפת שלי מלאה בצלופחים
 
Posts: 30545 | Location: Central Florida, Orlando area | Registered: January 03, 2010Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by smschulz:
I wouldn't say it is degraded by simply changing it.

It's not the changing of the password that degrades security, but the forcing people to do it every XX days that does it. That encourages people to use bad password hygiene. (Easily-guessed passwords, passwords taped to the bottom of keyboards, etc.)

quote:
Originally posted by Whisp:
Passwords are harder to figure out, but early on programs were created to repeatedly try username and password combinations until they got a successful login, this is called a brute force dictionary attack.

Now from your roach infested apartment in Eastern Europe you can lease a bot-net of infected PCs world wide to launch credential stuffing attacks on anyone. A credential stuffing attack basically attempts usernames and passwords over and over again.

Except neither of those are particularly useful for two reasons: 1. External brute-force attacks cannot be executed at a high enough rate to be successful for any but the most easily-guessed credentials. (E.g.: "admin" and "password" or "jsmith" and "joe1". [I actually had an end-user try to use that latter password, once. I kid you not.]) Reasonable password complexity policies can fix that. 2. So a user changes their password every thirty, sixty, or ninety days. What's to say they won't change it to something that'll be tried in the attacker's next pass?

I see the signs of these attacks in my server log summaries nearly every morning. In fact, from this morning's report:

Failed ftp logins
-----------------
    Jun 14 21:26:57 www (211.95.40.10[211.95.40.10])
    Jun 14 21:26:58 www (211.95.40.10[211.95.40.10])
    Jun 14 21:26:59 www (211.95.40.10[211.95.40.10])
    Jun 14 21:27:00 www (211.95.40.10[211.95.40.10])
    Jun 14 21:41:59 admin (211.95.40.10[211.95.40.10])
    Jun 14 21:42:00 admin (211.95.40.10[211.95.40.10])
    Jun 14 21:42:01 admin (211.95.40.10[211.95.40.10])
    Jun 14 21:42:02 Admin (211.95.40.10[211.95.40.10])
    Jun 14 22:12:21 web (211.95.40.10[211.95.40.10])
    Jun 14 22:12:22 web (211.95.40.10[211.95.40.10])
    Jun 14 22:12:23 web (211.95.40.10[211.95.40.10])
    Jun 14 22:12:24 web (211.95.40.10[211.95.40.10])

Dovecot Failed Auths
--------------------
       1   authentication failure mint@example.com 121.160.164.83
       1   authentication failure jane@example.com 91.178.92.151
       1   authentication failure jane_facebook@example.com 159.192.8.4
       1   authentication failure john_mm@example.com 189.56.166.5
       1   authentication failure foo@example.com 185.231.245.135
       1   authentication failure john@example.com 189.114.67.195
       1   authentication failure john_mm@example.com 201.140.110.78
       1   authentication failure jane7118@example.com 186.215.143.149
       1   authentication failure gort@example.com 200.150.69.11
       1   authentication failure foo@example.com 177.129.15.124
       1   authentication failure mint@example.com 220.66.155.2
       1   authentication failure gertudwad@example.com 210.245.12.98


(The FTP ones are from China. Ninety-nine times out of a hundred those are from China, here. The Dovecot ones are obviously from a 'bot net. Rate is way too low to be even remotely worrisome.)

I used to see them every morning for all our Internet-facing servers when I was in I.T., too.

During my career I had servers and routers exposed to the Internet for just about ever since the 'net became commercially-available in the late 80's. Before that they had dial-up modem access. For a time they had both. Never once had an account compromised by an external brute-force attack.

Wasn't for lack of them trying Wink

Reasonably good password policies, enforced; reasonably competent I.T. staff (which I've found to be disappointingly uncommon), and decent defensive measures will thwart 99-44/100% of common attacks.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26009 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
  Powered by Social Strata Page 1 2  
 

SIGforum.com    Main Page  Hop To Forum Categories  What's Your Deal!    Your Password Has Expired

© SIGforum 2024