The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Sun Nov 24, 2024 3:02 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
PostPosted: Tue Aug 26, 2014 9:49 am 
Offline
Oberon's Playground
User avatar

Joined: Thu Sep 03, 2009 9:11 am
Posts: 9449
Location: Your Dreams
There are two equally understandable and logical philosophies in dealing with executives in a big company:

(1) Executives deal with the most confidential and sensitive information in the company, and should therefore be subject to the most restrictive of IT security policies in order to protect that information.

(2) Choose your battles very carefully. Executives can get you fired and replace you with sycophants if you don't do as they demand, so unless it's truly impossible, give the executive what they ask for.

Now, whether or not one agrees with both of these principles, they're both understandable. What is not understandable, however, is attempting to do both at once. It DOES NOT WORK. You don't put your executives, for instance, on the most restrictive possible mobile security policy, so that they can do nothing with their phones, and then accommodate every single request for things that that security policy blocks, to the frustration of all the IT staff. Either put them on the most restrictive policy and enforce it, or put them on a less restrictive policy knowing you are not going to enforce it. Don't poke holes in the most restrictive policies to accommodate them!

_________________
Well Ali Baba had them forty thieves, Scheherezade had a thousand tales
But master you in luck 'cause up your sleeves you got a brand of magic never fails...
...Mister Aladdin, sir, What will your pleasure be?
Let me take your order, Jot it down -You ain't never had a friend like me

█ ♣ █


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 27, 2014 2:36 pm 
Offline
adorabalicious
User avatar

Joined: Thu Sep 03, 2009 10:54 am
Posts: 5094
Yes but lots of places do it because all it takes is one nervous nellie manager who has a team that can make those one-off changes and boom they are done.

Ideally a company of sufficient size should have an executive team that handles all executive policies and devices.

_________________
"...but there exists also in the human heart a depraved taste for equality, which impels the weak to attempt to lower the powerful to their own level and reduces men to prefer equality in slavery to inequality with freedom." - De Tocqueville


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Aug 28, 2014 9:38 am 
Offline
User avatar

Joined: Fri Sep 25, 2009 8:22 pm
Posts: 5716
IT just shut off the ability for me to email my parents for security reasons. I can receive emails but not send.

They are looking into it. 3 days and counting.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Aug 28, 2014 4:17 pm 
Offline
Peanut Gallery
User avatar

Joined: Thu Nov 26, 2009 9:40 pm
Posts: 2289
Location: Bat Country
I'm sure your parents are planning to bring down the company.

_________________
"...the line dividing good and evil cuts through the heart of every human being. And who is willing to destroy a piece of his own heart?" -Aleksandr Solzhenitsyn


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Aug 30, 2014 8:43 am 
Offline
User avatar

Joined: Tue Sep 08, 2009 9:36 am
Posts: 4320
I once had an executive at a company who while being the nicest guy you could ever want to meet, would only use the password of "beige" or a simple variant.


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 03, 2014 3:22 pm 
Offline

Joined: Sat Oct 24, 2009 5:44 pm
Posts: 2315
I don't understand why passwords need to be overly complex. Is this basically ITs nice way of saying, "Don't use "password" as your password, you idiots."? I mean, doesn't it lock the account after 3-5 failed login attempts anyways? How could someone possibly brute force it?


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 03, 2014 5:15 pm 
Offline
pbp Hack
User avatar

Joined: Wed Sep 02, 2009 8:45 pm
Posts: 7585
Not everyone uses a lockout system it's optional in AD

But yes it is a an easy way of telling users not to be stupid by not letting them.i knew an hr director who was still using the universal 4 letter default password for his email for years

_________________
I prefer to think of them as "Fighting evil in another dimension"


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Sep 10, 2014 8:23 am 
Offline
adorabalicious
User avatar

Joined: Thu Sep 03, 2009 10:54 am
Posts: 5094
Tricky line in IT security.
Force complex enough passwords and/or change them frequently enough and people will simply write their passwords down someplace or iterate them Cabbagebunnyfoot1, Cabbagebunnyfoot2, Cabbagebunnyfoot3...

_________________
"...but there exists also in the human heart a depraved taste for equality, which impels the weak to attempt to lower the powerful to their own level and reduces men to prefer equality in slavery to inequality with freedom." - De Tocqueville


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 14, 2014 7:41 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
Most password policies are dumb, but not for the reasons you might think. For one thing, password length matters far more than password complexity.
Image
What Elmo said is also quite true. Scheduled rotation policies are appropriate in some high security environments where the user base understands actual password complexity and are dedicated to maintaining it, but in most environments they just weaken security. In most corporate environments, the only reason to change passwords is because a breach has occurred.

And to be completely blunt, most policies are wishful thinking. A randomly generated, 16-character password with uppercase, lowercase, and numbers has 95 bits of entropy. But when users are asked to create a password meeting those character and length requirements, they choose passwords that have far less entropy. You can't save users from themselves. If there's any sort of "logic" (read: "pattern") behind how you create your passwords, complexity requirements are moot. You're an easy mark because crackers are smart enough to think like you do.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
PostPosted: Sun Sep 14, 2014 8:09 pm 
Offline
pbp Hack
User avatar

Joined: Wed Sep 02, 2009 8:45 pm
Posts: 7585
Thank you Stathol. I wanted to bring that into the conversation, but I didn't have time to hunt it down. Unfortunatly most services limited you to 16 characters. Ergo you cant use the xcxd method and in order to remember ylu password you have to rely on a classic solution based on logic

_________________
I prefer to think of them as "Fighting evil in another dimension"


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Sep 15, 2014 10:11 am 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
I run into that less often these days, but yeah, it still happens. The best and easiest solution to all of these issues (IMHO) is to use a well-secured password vault type application. I've been using Keepass. I store the database in a dropbox folder so that I can synchronize it between all of my devices (including my cellphone). All of my passwords are randomly generated with as much entropy as the site will allow, or 128 bits, whichever is greater. I C&P them into login forms whenever I need them. I haven't memorized a password in years. In fact, I don't even know what any of my passwords are. The only password I've memorized is the master password for the keepass database. It's lengthy and random (why bother with 128-bit AES if your password has less than 128 bits of entropy?), but you only have to memorize it once.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 170 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group