Jump to content

  • These forums are for "after booking" trip communications, socializing, and/or trip questions ONLY.
  • You will NOT be able to book a trip, buy add-ons, or manage your trip by logging in here. Please login HERE to do any of those things.

Photo

The Advantage Of 'Strong' Passwords


  • Please log in to reply
27 replies to this topic

#16 peterbj7

peterbj7

    I spend too much time on line

  • Premier Member
  • PipPipPipPipPipPip
  • 2,068 posts
  • Location:San Pedro (Belize) & Oxford (UK)
  • Gender:Male
  • Cert Level:Instructor
  • Logged Dives:over 4000

Posted 14 December 2008 - 08:17 AM

Those of you with numerous sign-on protocols, and your colleagues who probably have as many - how much of this is retained in the head, and how much is written down somewhere, albeit perhaps cryptically? I'm afraid I don't believe that anyone can remember 30-odd sign-ons (I word it that way because as I outlined, often the id's are also arbitrary), and certainly not if they are high-security, changed frequently, and in some cases not self-assigned.

This was the basis of my objection to the situation I described above. I went round various offices, both during the working day and after hours. I'm sure some people thought I was just chatting and passing the time because I had nothing better to do, but I was actually observing security breaches.

I wasn't concerned with what was supposed to happen. Commonsense said that was unachievable. I wanted to find out what actually did happen, and my conclusion was that security was actually pretty poor. People who are employed as "security experts" at high salaries get very defensive and protective of their jobs when someone else (not an "expert") suggests that they're not doing a very good job, and as is always the way most of them resort to whatever underhand tactics will make the threat to their personal comfort go away. I'm sure they're still relaxed with the feeling that they've designed a really high security and impenetrable system. The fact that it doesn't work they can (and do) simply blame on others - they never need to justify their system since they are in charge and no-one is allowed to challenge it (under threat of criminal sanction). The trouble is that they're supposed to be protecting national security and vast amounts of valuable property, and they're not.

One thing they added was the need to get it right first time. Any input error was reported and investigated, and staff were reprimanded for getting it wrong. In any real world this applied great pressure on people to ensure they would always get it right, which meant writing it down.

Educational theorists believe that no-one can reliably memorise more than seven arbitrary facts/numbers. I believe that's about true, and I operate at any one time with fewer than that. Even so I sometimes get myself confused and am convinced that a particular password should be used when I'm actually wrong. On one occasion my bank card was withheld by the machine abroad because I thought I'd simply mis-keyed rather than putting in completely the wrong word. That caused me a major headache.

I love this topic. I'd forgotten all this stuff but this has brought it all back. Chiefly I remember the small intellects of the people who had got themselves into highly paid jobs that did nothing except "lord it" over other people. When you add the threat of severe criminal sanction over anyone who might have the temerity to challenge you this ensures you personal position is totally secure. I came across many people of this calibre in this particular government department and it was quite an eye opener. Makes me wonder how my father was able to stomach it for most of his working life, because I couldn't.

#17 shadragon

shadragon

    Tech Admin

  • Premier Member
  • PipPipPipPipPipPip
  • 3,055 posts
  • Location:On De Island...
  • Gender:Male
  • Cert Level:MSD / DM / Solo
  • Logged Dives:534' ish

Posted 14 December 2008 - 10:15 AM

People who are employed as "security experts" at high salaries get very defensive and protective of their jobs when someone else (not an "expert") suggests that they're not doing a very good job, and as is always the way most of them resort to whatever underhand tactics will make the threat to their personal comfort go away.

In my experience an "IT Audit" is usually conducted by accountants during their annual finance audits. Probably because of Sarb-Ox in the US, but Canada has legislation which is almost the same. They normally work off a pre-done generic checklist and typically don't know what they are talking about. During one audit the accountants plugged their laptops into my internal network and connected to their company with a VPN tunnel. I was surprised to see a new domain appear on my Network Neighborhood and when I clicked on it I had direct access to 1100 PC's and servers on their corporate network. Payroll, finance, all members of senior management, even their vacation schedule. Little computer security was in place. I took many screenshots and gave them to my boss (The CIO) who held onto them until they delivered their report before giving them my print-outs. It is the little moments like that in life that you really look forward too. :thankyou:

Oh sorry Peter, I missed your main Q. I did maintain a master password list for a lot of stuff on the corporate system. It was on a floppy disk I kept in a fire-proof safe off-site (Disaster recovery in case I got hit by a bus). That file was behind a 4096 bit encryption and 256+ bit password that three people knew. Supposedly would take 4.3 billion years to run through the combos, but I still changed it every 6 months. No admin passwords were in there and the only time I had to refer to it is was when I needed something I had not used in a long time.

"Single Sign On" for me means "Single Point of Failure" or "One stop shopping" for a hacker. A layered and in-depth protection scheme works best. I never put all my eggs in one basket and isolate my internal network wherever possible.

I am a big fan of precomputation myself. Takes a lot of time and resources, but today with quad CPU's it is remarkably easy to do. Give me $10K to build a Linux Beowulf cluster for the purpose and I could get dangerous. :cool1:
Remember, email is an inefficient communications forum. You may not read things the way it was intended. Give people the benefit of the doubt before firing back... Especially if it is ME...! ;)

Tech Support - The hard we do right away; the impossible takes us a little longer...

"I like ponies on no-stop diving. They convert "ARGH!! I'M GOING TO DIE" into a mere annoyance." ~Nigel Hewitt

#18 Scubatooth

Scubatooth

    I spend too much time on line

  • SD Partners
  • PipPipPipPipPipPip
  • 2,678 posts
  • Location:Dallas / Plano, TX & Houston / Baytown, TX
  • Gender:Male
  • Board Status:Saving Lives!
  • Cert Level:Rec: DM -- Tec: Ext Range
  • Logged Dives:500+

Posted 14 December 2008 - 10:26 AM

Peter

good info,and i will agree on the "security experts" god complex issues. I disagree on the level of memorization, but different strokes for different folks.
As for storing backup copies of PW and USID well i do have a backup on a smart card that my laptop reads but inorder to access that you have to have a certain piece of software and 3 of my finger prints to unlock the true crypt encryption (I love that program) and then you need another 3 finger prints to gain access to the password manger program and the spread sheet that is built into the program. If you dont have that then it looks like a blank memory card.

Simon

dyslexics of the world untie, LOL

A Novus Dies Has Adveho.... Occupo Dies

Where in the World is Tooth? ... Catch Me It You Can!

Traveling the World, Diving, and Photography, on my days off from saving lives as a Paramedic


#19 peterbj7

peterbj7

    I spend too much time on line

  • Premier Member
  • PipPipPipPipPipPip
  • 2,068 posts
  • Location:San Pedro (Belize) & Oxford (UK)
  • Gender:Male
  • Cert Level:Instructor
  • Logged Dives:over 4000

Posted 14 December 2008 - 11:06 AM

So the "security" transfers from what people believed it was to something else. Another point I was unable to get into people's heads.

#20 secretsea18

secretsea18

    I spend too much time on line

  • Member
  • PipPipPipPipPipPip
  • 1,007 posts
  • Location:NYC when not diving!
  • Gender:Female
  • Cert Level:AOW
  • Logged Dives:1062

Posted 14 December 2008 - 02:58 PM

Then again this is necessary for the data we handle through our accounts due to the electronic charting which if leaked would be a HIPAA violation and they are not cheap and are career killer.

Yeah...that HIPAA stuff can be a real pain in the butt! Do you know which group gives gives us the hardest time with password rules compliance....the physicians. I know we have several MDs that participate in this board and maybe they can give me some onsight on this. Every time I sit down to review new/upgraded computer applications with our MDs they complain about remembering their passwords. How can they remember all these complex diagnoses and their associated treatments, but a computer password throws them into a tailspin.



Would you rather us remember what antibiotic to use for what infection or what the dose is for any given medication used, or remember passwords, so we can look at how many ml of fluids you drank yesterday? Remembering passwords to a doctor is just not that important to us. Getting the information out of the computer is the important thing. The volume of what we need to know to do our daily jobs is huge. Personally I write my password on a post-it and put it on my shelf above my desk in my office. Of course there are so many random post-its that it would require someone trying to hack in to be able to figure out what any given post-it is for....
Upcoming trips: July 2010 Halmahera-Sulawesi on Mandarin Siren, + Lembeh, Indonesia !!; September 2010 Sydney, Australia; September 2010 Boston; October 2010 Atlanta -Road Warrior Training!; November 2010 Anilao, Philippines!; December 2010 Cabo San Lucas, Mexico; Feb 2011 Philippines Cebu - mission- + Anilao!!; April 2011 Puerto Rico - for a meeting - double wow!; April 2011 Chicago

#21 secretsea18

secretsea18

    I spend too much time on line

  • Member
  • PipPipPipPipPipPip
  • 1,007 posts
  • Location:NYC when not diving!
  • Gender:Female
  • Cert Level:AOW
  • Logged Dives:1062

Posted 14 December 2008 - 03:03 PM

Bubbles - That would be the mega-god dysfunction anything that doesnt make things easy for them isnt necessary. maybe you should remind them of the criminal and civil penalties for failure to comply, that should make most of them have a pucker factor of 50. Then again what do i know im just a lowly paramedic (don't you dare call me a ambulance driver) what could i possible know.

If i can nearly memorize verbatim 800 pages of protocols then remembering a password should be a breeze for a doctor, but i wont hold my breath.



Not everyone thinks and process info the same way Dan. I remember, by heart, things I see and do often, but need to use my peripheral brain to look up things often. For example, even though I was a Biochemistry major in college, and needed to know the Krebs cycle, I thought it was absolutely stupid to have to memorize the da*n thing when I could just look it up if I needed to. And yet, I remember loads of esoteric information. You remember what's important. Passwords to get into the computer is not a high priority to remember for many... myself included.

Edited by secretsea18, 14 December 2008 - 03:05 PM.

Upcoming trips: July 2010 Halmahera-Sulawesi on Mandarin Siren, + Lembeh, Indonesia !!; September 2010 Sydney, Australia; September 2010 Boston; October 2010 Atlanta -Road Warrior Training!; November 2010 Anilao, Philippines!; December 2010 Cabo San Lucas, Mexico; Feb 2011 Philippines Cebu - mission- + Anilao!!; April 2011 Puerto Rico - for a meeting - double wow!; April 2011 Chicago

#22 shadragon

shadragon

    Tech Admin

  • Premier Member
  • PipPipPipPipPipPip
  • 3,055 posts
  • Location:On De Island...
  • Gender:Male
  • Cert Level:MSD / DM / Solo
  • Logged Dives:534' ish

Posted 15 December 2008 - 08:32 AM

Remembering passwords to a doctor is just not that important to us. Getting the information out of the computer is the important thing.

This is the eternal question. Where to draw the line between accessibility and security? Getting info out is important, but that must be balanced to ensure only the people needing to get in that area are allowed. In the medical community that ensures private medical info stays that way. In banking, your account info, credit report and balance stay protected, etc.

What people do not realize is that the biggest threat to those things and computer security in general is not server security, or strength of the password, or an admin sneaking around, or how many firewalls you have; It is the user. The user has traditionally been the weak link because many see it as an unnecessary inconvenience. The majority treat computer security in their workplaces with a cavalier attitude, but forlornly expect all other professions to protect their personal information elsewhere with diligence and zeal. Do you see the inherent flaw here?

When you (that is a general 'you', not pointing fingers at SecretSea18... :birthday: ) go to the local mall, do you leave your car with the doors, trunk and hood open with keys in the ignition? When in a store, do you leave your wallet / purse on a shelf and go off shopping? Probably not. However, most people leave their PC in that state when they walk out of their offices. I would like to think it is caused by ignorance rather then apathy. I can educate someone who does not know, but it is impossible to do that with someone who does not care.

When there is a breach, it typically is not the corporation or its policies that is to blame. It is Mary down in accounting who opened a web link to a cute little elf greeting card from someone she didn't know. Best example I have: I got an email from a person in the office saying "I just clicked the attachment on the email you just warned us about this morning. What do I do now?"

What do we call attitudes like that in IT??? Job security... :canuckdiver:
Remember, email is an inefficient communications forum. You may not read things the way it was intended. Give people the benefit of the doubt before firing back... Especially if it is ME...! ;)

Tech Support - The hard we do right away; the impossible takes us a little longer...

"I like ponies on no-stop diving. They convert "ARGH!! I'M GOING TO DIE" into a mere annoyance." ~Nigel Hewitt

#23 peterbj7

peterbj7

    I spend too much time on line

  • Premier Member
  • PipPipPipPipPipPip
  • 2,068 posts
  • Location:San Pedro (Belize) & Oxford (UK)
  • Gender:Male
  • Cert Level:Instructor
  • Logged Dives:over 4000

Posted 15 December 2008 - 11:07 AM

Some bright spark came up with the idea of fingerprint scanners on laptops, instead of passwords. Great idea, except that the salt air here corrodes these within weeks and prevents ANY access to the computer. I now disable those sorts of things at the beginning, while they still allow me the access to do it.

#24 secretsea18

secretsea18

    I spend too much time on line

  • Member
  • PipPipPipPipPipPip
  • 1,007 posts
  • Location:NYC when not diving!
  • Gender:Female
  • Cert Level:AOW
  • Logged Dives:1062

Posted 15 December 2008 - 11:15 AM

At least from what I see in the hospitals I work at and have heard about, all the HIPPA (remember that Congress made up a >1500 page document for this!) violations that have been publicized have been not through breaches via easy to remember passwords. It has been through hospital personnel who have no reason to access certain files (OK, they have all been celebrities hospital records), using perfectly good passwords. Not hackers. It is the employee on floor x, in say microbiology, looking at George Clooney's hospital file that has occurred out of curiosity of his address or other information that they had no business knowing or looking at cause they were not taking care of him.

Information regarding financial information, yes, I agree with you spot on, but still can't remember a 15 item alphanumeric code, with capitols in it... then when I forget it, and can't access my information, oops I need to remember the email address I used for that account, and then my special secret question and make sure you are case specific!

BTW, I regularly leave my car in the garage with the doors open and keys in the ignition..... but of course, it's to my garage parking attendant down the street... I actively have to remember to lock car and take keys when I park it myself in parking lots, since I live in NYC....



and holy cow... I think internet scrabble has nearly broken the server... it's taking so long.....
Upcoming trips: July 2010 Halmahera-Sulawesi on Mandarin Siren, + Lembeh, Indonesia !!; September 2010 Sydney, Australia; September 2010 Boston; October 2010 Atlanta -Road Warrior Training!; November 2010 Anilao, Philippines!; December 2010 Cabo San Lucas, Mexico; Feb 2011 Philippines Cebu - mission- + Anilao!!; April 2011 Puerto Rico - for a meeting - double wow!; April 2011 Chicago

#25 peterbj7

peterbj7

    I spend too much time on line

  • Premier Member
  • PipPipPipPipPipPip
  • 2,068 posts
  • Location:San Pedro (Belize) & Oxford (UK)
  • Gender:Male
  • Cert Level:Instructor
  • Logged Dives:over 4000

Posted 15 December 2008 - 12:32 PM

There have been several high profile losses of bulk personal information in the UK recently, and most have happened because someone downloaded all the info to a flash drive and then mislaid it. Some of these cases have had tremendous consequences for the people involved. Flash drives now have such high capacity (I have several which hold 16gb, for just a few $ each) that a single drive can hold eg. the name, address, SS number, bank account details and other personal info for everyone in Britain, or indeed the USA.

It has been demonstrated by these cases that there is no such thing as "security" over data on citizens held by government departments. Yet at the same time the State is getting ever more acquisitive of all this information. It took someone several years and a great deal of money to get a court to expunge their DNA profile from the national police computer, against strong resistance from the police and the UK government. This person was an early suspect in a crime, who was exonerated and never charged. If we're not VERY careful Orwell's vision will come to pass without our ever knowing it - until it's too late.

#26 Racer184

Racer184

    Everyone knows me

  • Member
  • PipPipPipPipPip
  • 918 posts
  • Location:Clearwater, Florida
  • Gender:Male
  • Cert Level:Open Water Instructor S.D.I.
  • Logged Dives:>400

Posted 15 December 2008 - 05:18 PM

Some bright spark came up with the idea of fingerprint scanners on laptops, instead of passwords....


And I bet that the fingerprint scanner does not check temperature or for a pulsatile blood flow. So the thief will just cut off your fingers and take them along with the laptop.

Another "great idea" is retinal scanning for ATMs (automatic teller machines). Yeah... great.... now robbers will carry a gun AND a grapefruit spoon.... steal your ATM card and your eyeball. I'd prefer they just take my cash... my eyeballs are worth more to me than all my money.

#27 WreckWench

WreckWench

    Founder? I didn't know we lost her!

  • Owner
  • PipPipPipPipPipPipPip
  • 47,039 posts
  • Location:Miami, Ft. Lauderdale & Dallas, TX
  • Gender:Female
  • Cert Level:DM
  • Logged Dives:4000+

Posted 15 December 2008 - 06:57 PM

and holy cow... I think internet scrabble has nearly broken the server... it's taking so long.....



Naw....the system is just cold...been freezing across the entire US! :thankyou:

Contact me directly at Kamala@SingleDivers.com for your private or group travel needs or 864-557-6079 AND don't miss SD's 2018-2021 Trips! ....here! Most are once in a lifetime opportunities...don't miss the chance to go!!
SD Forms & Documents.... here !

Click here TO PAY for Merchandise, Membership, or Travel
"Imitation is the sincerest flattery." - Gandhi
"Imitation is proof that originality is rare." - ScubaHawk
SingleDivers.com...often imitated...never duplicated!

Kamala Shadduck c/o SingleDivers.com LLC
2234 North Federal Hwy, #1010 Boca Raton, FL 33431
formerly...
710 Dive Buddy Lane; Salem, SC 29676
864-557-6079 tel/celfone/office or tollfree fax 888-480-0906

#28 Bubbles

Bubbles

    I spend too much time on line

  • Member
  • PipPipPipPipPipPip
  • 1,380 posts
  • Location:Hartford, CT
  • Gender:Female
  • Cert Level:Advanced Open Water, Nitrox
  • Logged Dives:400-ish

Posted 15 December 2008 - 07:12 PM

Some bright spark came up with the idea of fingerprint scanners on laptops, instead of passwords. Great idea, except that the salt air here corrodes these within weeks and prevents ANY access to the computer. I now disable those sorts of things at the beginning, while they still allow me the access to do it.

My laptop at work has a fingerprint scanner, and it works less than half the time..... :thankyou: We had planned to roll them out, but decided that if IT had problems it would never work for the non-IT staff!!!
"If life gives you limes, make margaritas." Jimmy Buffett




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users