Log in

No account? Create an account
heart + stomach
Advancing the sum total of human knowledge and endeavour!
9th-Apr-2008 12:54 pm
pissed off
My university's password regulations:

  • Must be something easy to remember, so you don't need to write it down.  - actually, that's just common sense.
  • Must be changed every five months.
  • Must contain caps, lower case, characters and numbers. This is just common sense.
  • Must not be any password you have used in the past decade of being at this university. They keep all the records, apparently. 'Cause that's safe. Must also not be in any way like your old password. So you can't use a system like increasing a certain digit.
  • Must not contain anything that looks remotely like a word in the English language
  • Must not, in fact, be anything you stand a chance of remembering without writing it down.

Bastards. I go through this every fucking five months.

9th-Apr-2008 12:04 pm (UTC)
I tend to do l337 renditions of acronymed movie quotes.

Dumb Example:

"I aim to misbehave." Gets shortened to "IATM". Gets tweaked to "Ia2m".

You get the idea. I just lose this morning.
9th-Apr-2008 12:13 pm (UTC)
Yeah but but but, how do I remember which quote I'm using? It's not like I use that password for anything else.
9th-Apr-2008 12:37 pm (UTC)
Writing down the quote does not equal writing down the password? *shrug*
9th-Apr-2008 12:07 pm (UTC)
I do the increasing a digit method and have for a while, though I occasionally switch up the 'word'.

My old one was a play on my friend's (at the time) new baby's name.

Madison became M@d1s0n

And then I tacked a number on the end and changed that each time I had to change my password.
9th-Apr-2008 12:14 pm (UTC)
Can't do that, because the new one can't be too similar to the old one. So logical progressions are out.
9th-Apr-2008 05:49 pm (UTC)
How similar is too similar?

For my work/university password, I have a base word (with numbers inserted -- I tend to stick in numbers as they fit easily into the typing motion, rather than replacing letters with numbers). Then my progression is to add other words onto the end, so I only have to remember what word I'm on.

Like... if my base word were "tree," I'd make it T54ree, and then I'd add on T54reefort, T54reehouse, T54reeapple, etc. Usually that kind of thing gets through the CANNOT RESEMBLE A DICTIONARY WORD OMG detectors too.

You could also write down a cryptic clue to your password? It's not as if anyone else could guess your password from something like "Q standard 2" or "Xander" or some such.
9th-Apr-2008 12:09 pm (UTC)
That would be me fucked then. I have to write most of my passwords down or I forget them.

I'm sure that with a supreme effort of will I could memorise a garbled sequence of random numbers and letters, but every five months? Fucked.
9th-Apr-2008 12:17 pm (UTC)

I have a very secure password for all my usual web stuff. I have a different secure password for important stuff. I even have a system for new passwords should my usual ones not do.

But my college one is now impossible to remember.
9th-Apr-2008 01:25 pm (UTC)
You'll just have to cheat and write it down. That's certainly what I'd do!

If the evil forces that run your University find out somehow (which is unlikely unless you're very careless) then just shrug, spit, and tell them to go piss up a rope.
9th-Apr-2008 01:27 pm (UTC)
Yeah, I just have to remember where I wrote it, is all.
9th-Apr-2008 12:10 pm (UTC)
You could point them at Bruce Schneier's advice on secure passwords. Or just follow it anyway.
9th-Apr-2008 12:30 pm (UTC)
Eh, just write it down somewhere that you know no one with any inclination to hack your account will ever see it. Put it in a private post in an RP journal or something -- that's what I'd do if I wanted to keep it safe and unconnected from anything of RL importance. Or if your phone is like mine, you can text message it to yourself - only I can get my text messages via a (much simpler) password, so no one else could get to it that way either.
9th-Apr-2008 12:39 pm (UTC)
Those rules are... how shall I put this... stupid? (And this is someone who has to deal with similar silly-ass password issues every few months at work.)

Really, you have to weigh the security measures being taken against the actual chance someone is going to hack your system. Now, yes, it's awfully fun for disgruntled graduate students to go and do silly things like code a brute-force password guesser (also tends to get you a disciplinary notice), but let's face it... as long as far more impressive things exist to try and hack, like the White House web page, the Metro-rail online schedule, or hey, porn sites, you really shouldn't be putting too much of an effort into strictly following these rules.

In other words, as long as you don't tell them you wrote down your password, you should be fine.

9th-Apr-2008 12:50 pm (UTC)
This is exactly the reason I forwarded all my email and let my main account lapse (and the rocksoc account). Fortunately, though, I can just use my computing department account, since the computing department doesn't have the same requirements for passwords... although, of course, they'd not know anything about computers and security...
(Deleted comment)
9th-Apr-2008 03:45 pm (UTC)
Honestly, if someone malicious were at my desk, sticky notes containing passwords would be the last thing I'd worry about.
9th-Apr-2008 03:51 pm (UTC)
Secure passwords: cool.
Forced password changes: not cool.

1. Password 2 is not going to be any more secure than Password 1. If someone discovers Password 1, either e will do what e wanted and get out, change my password so I can't get in anyway, or have an average of two and a half months to fuck around before my password is forcibly changed. Given these, forced changes are a bit ridiculous, and anyway if your password is good nobody should be able to get it ever.
2. You are, hurr, more likely to use simple passwords and/or write passwords down if you have to change them frequently.

I worked in retail for a little while, and the inventory system required passwords exactly eight characters long with at least one letter and one digit -- and no symbols. And it had to be changed every three months.
Already those are really stupid restrictions (I cannot FATHOM why anyone blocks symbols in passwords, but I still see big sites do it occasionally), but as luck would have it, everyone's username consisted of eir first/last initials followed by a random string of five digits, for a total of seven characters. I actually had a crafty manager suggest to me that I make my password my username followed by a 1, then just increment the last digit whenever I had to change it.
9th-Apr-2008 04:15 pm (UTC)
Yeap, we have the same rules for each of the eleven different systems I use at work, with the additional provisos that your password for any given system cannot be the same as the current or former password for any other system, the passwords all have to be at least 8 digits long, and they have to be changed every TWO months, minimum.

Bear in mind that some of these systems I only have to use once or twice a month, so it's not like it's something I can remember through repetition either.

I have them all written down on a piece of paper in my wallet. Technically I could get fired for it, but there's pretty much no other way.
9th-Apr-2008 07:24 pm (UTC)
Must be changed every five months.
Must not contain anything that looks remotely like a word in the English language

Wow, whut.
9th-Apr-2008 11:15 pm (UTC)
All of those rules, and the other rules that other people have to follow, are refriggindiculous.

"You can't write it down" my ass.
10th-Apr-2008 12:40 am (UTC)
Oh please. As if that list wasn't stupid enough, there's point #4 there undermining all the others. The IT guys are keeping a database of former passwords?

Gee, wonder how easy that is to hack?

I bet it would only take 30 seconds worth of social engineering by phone to get one of the techs there to read off that password he has taped to his monitor.

Edited at 2008-04-10 00:41 (UTC)
This page was loaded May 28th 2018, 3:10 am GMT.