The Glade 4.0

There are two equally understandable and logical philosophies in dealing with executives in a big company:

(1) Executives deal with the most confidential and sensitive information in the company, and should therefore be subject to the most restrictive of IT security policies in order to protect that information.

(2) Choose your battles very carefully. Executives can get you fired and replace you with sycophants if you don't do as they demand, so unless it's truly impossible, give the executive what they ask for.

Now, whether or not one agrees with both of these principles, they're both understandable. What is not understandable, however, is attempting to do both at once. It DOES NOT WORK. You don't put your executives, for instance, on the most restrictive possible mobile security policy, so that they can do nothing with their phones, and then accommodate every single request for things that that security policy blocks, to the frustration of all the IT staff. Either put them on the most restrictive policy and enforce it, or put them on a less restrictive policy knowing you are not going to enforce it. Don't poke holes in the most restrictive policies to accommodate them!

_________________
Well Ali Baba had them forty thieves, Scheherezade had a thousand tales
But master you in luck 'cause up your sleeves you got a brand of magic never fails...
...Mister Aladdin, sir, What will your pleasure be?
Let me take your order, Jot it down -You ain't never had a friend like me
█ ♣ █

Yes but lots of places do it because all it takes is one nervous nellie manager who has a team that can make those one-off changes and boom they are done.

Ideally a company of sufficient size should have an executive team that handles all executive policies and devices.

_________________
"...but there exists also in the human heart a depraved taste for equality, which impels the weak to attempt to lower the powerful to their own level and reduces men to prefer equality in slavery to inequality with freedom." - De Tocqueville

IT just shut off the ability for me to email my parents for security reasons. I can receive emails but not send.

They are looking into it. 3 days and counting.

I'm sure your parents are planning to bring down the company.

_________________
"...the line dividing good and evil cuts through the heart of every human being. And who is willing to destroy a piece of his own heart?" -Aleksandr Solzhenitsyn

I once had an executive at a company who while being the nicest guy you could ever want to meet, would only use the password of "beige" or a simple variant.

I don't understand why passwords need to be overly complex. Is this basically ITs nice way of saying, "Don't use "password" as your password, you idiots."? I mean, doesn't it lock the account after 3-5 failed login attempts anyways? How could someone possibly brute force it?

Not everyone uses a lockout system it's optional in AD

But yes it is a an easy way of telling users not to be stupid by not letting them.i knew an hr director who was still using the universal 4 letter default password for his email for years

_________________
I prefer to think of them as "Fighting evil in another dimension"

Tricky line in IT security.
Force complex enough passwords and/or change them frequently enough and people will simply write their passwords down someplace or iterate them Cabbagebunnyfoot1, Cabbagebunnyfoot2, Cabbagebunnyfoot3...

_________________
"...but there exists also in the human heart a depraved taste for equality, which impels the weak to attempt to lower the powerful to their own level and reduces men to prefer equality in slavery to inequality with freedom." - De Tocqueville

Most password policies are dumb, but not for the reasons you might think. For one thing, password length matters far more than password complexity.

What Elmo said is also quite true. Scheduled rotation policies are appropriate in some high security environments where the user base understands actual password complexity and are dedicated to maintaining it, but in most environments they just weaken security. In most corporate environments, the only reason to change passwords is because a breach has occurred.

And to be completely blunt, most policies are wishful thinking. A randomly generated, 16-character password with uppercase, lowercase, and numbers has 95 bits of entropy. But when users are asked to create a password meeting those character and length requirements, they choose passwords that have far less entropy. You can't save users from themselves. If there's any sort of "logic" (read: "pattern") behind how you create your passwords, complexity requirements are moot. You're an easy mark because crackers are smart enough to think like you do.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

Thank you Stathol. I wanted to bring that into the conversation, but I didn't have time to hunt it down. Unfortunatly most services limited you to 16 characters. Ergo you cant use the xcxd method and in order to remember ylu password you have to rely on a classic solution based on logic

_________________
I prefer to think of them as "Fighting evil in another dimension"

I run into that less often these days, but yeah, it still happens. The best and easiest solution to all of these issues (IMHO) is to use a well-secured password vault type application. I've been using Keepass. I store the database in a dropbox folder so that I can synchronize it between all of my devices (including my cellphone). All of my passwords are randomly generated with as much entropy as the site will allow, or 128 bits, whichever is greater. I C&P them into login forms whenever I need them. I haven't memorized a password in years. In fact, I don't even know what any of my passwords are. The only password I've memorized is the master password for the keepass database. It's lengthy and random (why bother with 128-bit AES if your password has less than 128 bits of entropy?), but you only have to memorize it once.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.