(Lack Of) I.T. Security In The Workplace.

[El_Commi]

i have seven different passwords with 3-month change policies

i can remember them all.

i bet you're one of those people who doesnt know their own phone number...

I have literally dozens of passwords in work- with a 72 day forced password changeover policy. I can remember all of mine

What particularly annoys me about security. Is when someone gets "hacked" or compromised. It's instantly someone else's fault.

 

[Antar Bolaeisk]

Indeed on the GPO, our users have to have a minimum of 6 characters, including at least 1 number, one capital and one special.

I always suggest phrases or words written like the following:

0v3rClocker$

The problem with giving out examples is that half the people (if you're lucky) will use that exact example.

 

[DavidB]

Our place has terrible security, everything is stored on one server and on the Macs we can literally access everything, from the disciplinary records to the pay reviews to the profit and loss forecasts to the repayment schedules for new plant.

We have an IT Manager, and I just checked and he's on £45,000 p.a.

I think it's funny how everyone is posting about there security failings, it's like coming online on posting that you've left your front door unlocked

 

[Raymond Lin]

Indeed on the GPO, our users have to have a minimum of 6 characters, including at least 1 number, one capital and one special.

I always suggest phrases or words written like the following:

0v3rClocker$

And force changes every 90 days, and cannot be the same again for 24 cycles!

Yup, that's ours. I am getting lost as to what to use next lol

 

[J.B]

And force changes every 90 days, and cannot be the same again for 24 cycles!

Yup, that's ours. I am getting lost as to what to use next lol

That's in line with NIST, CIS and Microsoft guidelines I do believe, in fact I think NIST suggest the a 30 day cycle with 90 as the maximum age.

 

[UncleBob]

I think it's funny how everyone is posting about there security failings, it's like coming online on posting that you've left your front door unlocked

To be fair I couldn't care less about the company - I'm actively looking for another job anyway as their attitude to staff is horrendous.

 

[Rexxar]

As far as my opinion of workplace security goes, Smart Cards are possible the most reliable providing users can be trusted not to lose them / let them fall into the wrong hands.

Username = Password is classic, there's always the obvious ones too, and password=password should be ---> Fired!

 

[LizardKing]

That's in line with NIST, CIS and Microsoft guidelines I do believe, in fact I think NIST suggest the a 30 day cycle with 90 as the maximum age.

Thats just counter productive as that just encourages people to write down there password!

 

[GreatAuk]

Thats just counter productive as that just encourages people to write down there password!

Yep - I'd certainly get tired of trying to memorise a new complex password every month! I'd almost certainly write it down or put it on my phone or something.

 

[MagicBoy]

It's not rocket science. Use a word you can remember and swap/insert some numbers or punctuation symbols in.

 

[Westyfield2]

30days, upper case, lower case, numbers. Dead easy GPO

 

[Reginald]

hai and where do you work?

 

[kibblerok]

Be too strict with the password criteria and people will use passwords that are incremental or more memorable.

I do it out of spite - 30 day change over with a <14 day reminder every login/unlock gets on my ****... especially when other internal systems dont use AD when they could.

 

[Hairybudda]

Be too strict with the password criteria and people will use passwords that are incremental or more memorable.

Even incremental passwords spawned from strict settings are better than what most of your clients would have picked for themselves, it's like picking the turd that smells the least.

[edit]
plus, they develop good habits

 

[IrishChr1s]

My wages at work were changed to online statements, after several issues with my login I requested a password reset.
Few days later my manager calls me over with an email of everyone in my teams password, first thing he says is "Jesus that's
not your password is it, how do you remember that thing" mixture of numbers and letters both upper and lower case.

I felt weird him seeing my password but I had a laugh at the email, from a first glance I seen 3 passwords in a row called "password"
the rest weren't much better either.

Ignorance is ignorance, these are the people who make online fraud worthwhile.

 

[Angilion]

[..]
Super weak passwords. Like password is the password or username is the password!
[..]

I know of a place that uses "password" as a password. I had thought that using "password" as a password was an urban myth, until I saw it myself. It's easy for all the staff to remember.

 

[MuttsNutts]

OP Says

I look after everyone's general I.T. needs in my company. The company probably has a better security policy for its computers than many others

But if you have your servers setup correctly you can force your users to have strong passwords etc complx upper lower numbers and symbols via group policy as well as WSUS for windows updates forced installs....etc...

seems to me if your moaning about it then you need to do something about it.
you dont have a clue what you are doing do you?

 

[Dewotter]

I'd rather a user have a complex password written down than a simple one they can remember. Once someone has physical access to said computers all bets are off on your precious password policy.

 

[Herman Gelmet]

ITHC tbh...
http://en.wikipedia.org/wiki/ITHC

CESG (the national technical authority for Information Assurance) approved list of ITHC providers
http://www.cesg.gov.uk/find_a/check/index.php?menuSelected=11&displayPage=111

http://www.cesg.gov.uk/products_services/iacs/check/index.shtml

 

[jon86]

My company has a password age of about six times, which means people just change it six times and then back to what it was originally.

i.e.

password1;
password12;#
password123;#!
password1234;#!"
password12345;#!"£
password123456;#!"£$
password