Do Not Change Your Password

This forum is currently archived and READ-ONLY
Locked
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Do Not Change Your Password

Post by yogi »

That's right. It's a NIST guideline now officially codified. Of course, if it has been compromised then do indeed change it, but not to one you ever used previously. They don't emphasize it enough in the article, but using easy to remember passphrases of significant length is the better solution:
  • Good Password: X2@aKZIm97etQ
    Perfect Passphrase: This is my memorized secret for Brainformation
https://www.grahamcluley.com/new-nist-g ... d-changes/
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: Do Not Change Your Password

Post by Kellemora »

I've always hated it when a website wanted me to use a special character and a number.
I do understand the longer a password is, even to the point of it becoming a passphrase, the longer the better.

Where the frau used to work before she retired, they made them change their passwords once a week.
I always thought that was dumb! Because you know they are going to have to write it down to remember it.

At one time, I only had two short passwords I used everywhere, one for places I really didn't have anything to lose, and another one used for more important places. Then a few years ago, I began appending information to the passwords that I wouldn't forget, because it had to do with where I was logging in. This way my password was different at each site, so I felt a little safer.

Now I have so many different passwords, because of the places that make us change them, and have weird demands, I have two books and a PDA I keep them all in.

Getting back to where my frau used to work, they now use encrypted passwords. Since she doesn't work there anymore, she's not exactly sure how they manage this. But of her friends that still work there, they enter a normal password into a generator, and out pops an encrypted password they copy and paste in their new password box. Nothing to remember except your original password. So I guess the generator encrypts the word the same way each time?
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: Do Not Change Your Password

Post by yogi »

I'd guess your wife's experiences with passwords where she worked is a variation of two factor authentication. The generated password is valid only for a few seconds, maybe a minute at the most. Thus, anyone who intercepts it has useless information. The generated password is what unlocks the access to the computer, which undoubtedly is synced to a server handing out the random passwords. So, in order to log in, two passwords are needed. One stays with your wife while the other changes constantly.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: Do Not Change Your Password

Post by Kellemora »

Seems to me than anyone who knew her initial log-in, could get the encrypted one, but she said it did not work that way.
She had to changer her log-in password once a week, and then like you said, use it plus the daily code, to get the encrypted one to allow her into the system.
They were big on security, because they are one of the companies that handles banking and merchant card transactions.

I remember when she was working their, she said every part of their overall system is done in separate stand-alone units.
The only example she could give was how merchant terminals connect to the system, which is a separate system that collects the data from the terminal, analyzes the data, then takes what was analyzed and moves it to another system used for verification purposes, and only after that does the collected data enter the main banking system.
In other words, you cannot get from a merchants terminal past the information collection system. There is no connection. The verification system scans the collection system for collected data in the only format it will accept. I think the banking system works about the same way.
Of course they never give any details about how things work, other than when they are talking about how secure their system is because of certain things they have in place.
And when you think about it, it sounds like an almost perfect system. You don't go to it, it comes to you, and looks only for a few numbers, everything else is rejected and not read. Once it has the numbers it was looking for, it only verifies those numbers are correct in the verification system. Then it will allow the numbers to enter the banking system.
Nevertheless, they still have hackers trying to get in, which is why they have a whole team of employees just watching every connect they didn't make themselves, even to the early input systems.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: Do Not Change Your Password

Post by yogi »

I can only second guess what kind of security is used on sensitive data. I'd clarify my theory about your wife's experience and suggest the login was tied to the hardware as well as the software. In other words, the person with the password has to log in from a specific terminal/device in order for this to work. If I logged in from here, it would reject me.

Security within financial systems is pretty good. You seldom hear about account specifics other than login credentials being compromised. One way to defend against intrusion is to have a distributed data network. There would be a server with only user account numbers on it, for example. Transactions would be parsed by business name on another server, debits on another, and running balances on a third. The billing computer would query the distributed network pieces to come up with a statement, but there is no single database that has all the information. A hacker could break into any one of the databases, but would need to be able to coordinate with the others in order to get useful information. That means hacking into one database is not enough. Plus, as your story about the random generated passwords suggests, the database indexes can be changed on the fly and pinned to a specific source.

If I knew what I was talking about, I'd probably be rich today. But this scenario sounds good. :mrgreen:
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: Do Not Change Your Password

Post by Kellemora »

Now that you mention it, she could only log-in from her workstation, or her supervisors work station, not from a fellow workers workstation. If her computer broke, she had to use the supervisors workstation while they set her up a replacement.
She reminded me their was as specific log-in sequence also.
She logged into her terminal, then within the minute must log into the clock-in program, and as soon as she was clocked in, then she had to log into the password server, get her log-in code, and log into the server where she did most of her work. All that to get in, but only one button to push to log back out if she stepped away from her computer or went to lunch.

Now they have an entirely new way of logging into the system. It doesn't use a fingerprint, but a palm reader. You still need the encrypted code to log-in initially, but then if you leave your station and hit the button to log out, all you have to do to get back in is set your hand over this black palm reader device. Unless you are gone from your desk for more than fifteen minutes more than an hour, then it takes a whole new log-in session to get back in.
I'm told it doesn't read your palm print, but where the blood vessels or veins are in your hand. Interesting!

I know I mentioned this before, but the car my neighbor used for a while from where he works, the door opens using a thumb print.
I've not seen him in that particular car now for a few months. Maybe they have him working outstate again.
Locked