How strict are your company on passwords?

[The Great Cornholio]

I'm not happy about this. Our company are changing the password requirements and I have to be on site while they do it. I'm waving my balls goodbye as they are going to be chewed off.

Here are the rules and suggestions for choosing a password. (Tony Le Mesmer - take note!)

The highlights of the new password policy include:
• Your Windows logon password will expire every 60 days.
• Passwords must contain eight characters or more.
• Passwords must contain 3 of the 4 security attributes. These attributes include:-
o English uppercase characters (A through Z)
o English lowercase characters (a through z)
o Numeric characters (0 through 9)
o Non-alphabetic characters (for example, !, &, #, %)
• Do not use significant portions of your name or logon name.
• A record of the previous 6 passwords will restrict using the same password again.
Some helpful hints and examples
The following hints and examples may provide some guidance towards creating that complex password that is easy for you to remember. All the following use lower case which counts as one of the 4 rules of complexity

Example 1 – The avid chess player.

Word Made into a complex password Hints
Checkmate cHeckmate1

Move the capital letter around – it does not always have to be the first letter
czechMate1
cheQuemate1 Substitute words which sound similar
ch3Quemate Substitute numbers or symbols for letters eg
@ = A
1 = L
3 = E
5 = S
6 = G
8 = B
0 = O

cHequeM8 Use TXT language if it is familiar to you
cZech%mate Use symbols to break up the word





Does anyone elses company demand this kind of password?

 

[D'Angelo Saxon]

Erm... we don't even have a password...

 

[beorhthelm]

mine certianly doesnt, no password policy and worker frequently give their password to team members. Now while that is the sublime, yours is the ridiculous and will simply lead to people writing the password down.

 

[Bluejuice]

That's f***ing ludicrous.

I get wound up enough that I have to change my password every 30 days and it can't be the same as any of the previous 10. It just means that I invariably end up having to have IT reset once every few months as I don't remember it.

There's f*** all anybody could do even if they did know my log on password, except perhaps print off malicious word documents with a company letterhead. But does this really pose a security threat?

It just sounds like more hassle than it's worth to me TGC. IT are going to be inundated with calls about forgotten passwords, or otherwise people are just going to post-it their passwords to their computers rendering them essentially pointless anyway.

 

[The Great Cornholio]

That's f***ing ludicrous.

I get wound up enough that I have to change my password every 30 days and it can't be the same as any of the previous 10. It just means that I invariably end up having to have IT reset once every few months as I don't remember it.

There's f*** all anybody could do even if they did know my log on password, except perhaps print off malicious word documents with a company letterhead. But does this really pose a security threat?

It just sounds like more hassle than it's worth to me TGC. IT are going to be inundated with calls about forgotten passwords, or otherwise people are just going to post-it their passwords to their computers rendering them essentially pointless anyway.

You are preaching to the choir! This decision was made by ICT Governance - I would imagine the name would give away their role! They should be the ones on site when people have to change to this system - not us poor plebs. They also told people they could only use the Internet for 20 minutes a day before having their activity monitored. Now most of these people are auditing local councils and need access to their websites a lot of the time. But the grief I got over that will pale into significance when this little baby gets brought in.

 

[JJ McClure]

Our have to be a minimum of 6 characters but other than that they can be what ever you want.

 

[Marshy]

its called security !.

Mine change every 30 days and i have probably 6 different log ons and passwords for different computer systems we access...

 

[Hatterlovesbrighton]

every 40 days, cant reuse the same one. I just go password1 password2.

Would choose different ones if you didnt have to change it every month!

 

[Pevenseagull]

a few years ago I was working for a small company and a few of us were concerned about what was going on. we decided to try and access the directors PC.

second attempt at the password and we were in, it was the name of his dog

 

[readingstockport]

My companies deafult password is, ermmmm password.

And we can't change it because the securities they have set up on the accounts don't allow us to as we don't have admin rights.

You have to call help desk and ask them to change it for you.

 

[Barnet Seagull]

60 days, within the parameters you've mentioned above.

Given how easy it is to crack passwords, It's a sensible precaution.

 

[Wardy]

We have a number of systems all of which have there own requirment. The basic NT password, needs to be 6-12 characters long and needs to be chanegd every 30 days.

Other systems have blocked words and are changed every 28 days. Not as bad as yours though.

 

[zefarelly]

every PC here has the password 'password'

theres nothin worth nicking anyway.

 

[Wondergull]

My password requirements are pretty much the same as yours TGC. This has been brought in as a new Sarbances Oxley requirement.

 

[Da Man Clay]

I work for the old bill and are password restrictions aren't like that! Its just got to have a number in it somewhere!

 

[Dick Knights Mumm]

Does it matter - you just put it on a post-it and stick to the monitor anyway ........

 

[binky]

I have 9 passwords for different parts of the windows/network/systems/email/web etc that I use as part of my work.
All of them have to change every calendar month.
All of them follow the security rules you laid out in the initial post.

On "password day", I spend around an hour logging on to all the systems, changing and verifying the password.

Do I write all the passwords down. Of course not

 

[Grendel]

The highlights of the new password policy include:
• Your Windows logon password will expire every 60 days.
• Passwords must contain eight characters or more.
• Passwords must contain 3 of the 4 security attributes. These attributes include:-
o English uppercase characters (A through Z)
o English lowercase characters (a through z)
o Numeric characters (0 through 9)
o Non-alphabetic characters (for example, !, &, #, %)
• Do not use significant portions of your name or logon name.
• A record of the previous 6 passwords will restrict using the same password again.

All of the above for Windows logon & database logon. Also have to change the phone password every 60 days.

 

[Blackadder]

I could tell you our password policy but then I'd have to kill you!

 

[Highfields Seagull]

You are preaching to the choir! This decision was made by ICT Governance - I would imagine the name would give away their role! They should be the ones on site when people have to change to this system - not us poor plebs. They also told people they could only use the Internet for 20 minutes a day before having their activity monitored. Now most of these people are auditing local councils and need access to their websites a lot of the time. But the grief I got over that will pale into significance when this little baby gets brought in.

I think I work for the same people as you TGC.