'security' gone mad at work

digitalscream

The solution to this is to simply stop listening to your messages. If enough people do it, it'll cause so much disruption that they'll have to be more sensible. Either that, or ring the helpdesk to get your code reset every time you want to listen to your messages (and sometimes, ring back straight away saying you've forgotten it). IT middle-managers really hate it when their helpdesk stats start to slide.

Here's the thing - the people who set the policy also consider four digits to be enough to safeguard their bank accounts.

Besides...in terms of the actual security difference - ie how long it'd take to crack the four-digit code with a computer compared with the eight-digit code - the difference is measured in seconds and wouldn't even be considered a minor inconvenience.

It's an idiotic policy, most likely dreamt up by somebody in management (they rarely know anything about these things, but for some reason always want to appear like they know).

dano

I just use a word with a number at the end, and increment it by one each work insists I do it (every 30 days).

It also let's me work out how many months I've been there ! 

Myranda

digitalscream said:

The solution to this is to simply stop listening to your messages. If enough people do it, it'll cause so much disruption that they'll have to be more sensible. Either that, or ring the helpdesk to get your code reset every time you want to listen to your messages (and sometimes, ring back straight away saying you've forgotten it). IT middle-managers really hate it when their helpdesk stats start to slide.

Here's the thing - the people who set the policy also consider four digits to be enough to safeguard their bank accounts.

Besides...in terms of the actual security difference - ie how long it'd take to crack the four-digit code with a computer compared with the eight-digit code - the difference is measured in seconds and wouldn't even be considered a minor inconvenience.

It's an idiotic policy, most likely dreamt up by somebody in management (they rarely know anything about these things, but for some reason always want to appear like they know).

So far virtually every historic security disaster I've been researching has been because the management wouldn't listen to engineers in a we-know-best sort of prelude to disaster - naf passwords, no investment in improvements, no attempt to secure against threats identified years ago.

Also I suspect that these password policies are precisely why there are so many crap passwords - people are inherently lazy, so constantly asking for changes, where you can't reuse things mean people get the most simple BS ... and yet to crack passwords you don't care what characters are used, you care about the length - brute force programs will try every combination of printable character at tens or hundreds of millions of combinations per second - random word pass phrases would be as (or more) secure. easier to remember and by virtue of complexity wont need changing as often (and when change can be changed for another easy to recall phrase)  

HAL9000

axisus said:

OK, so I went for the easy option: 11111111. Nope, that got refused. The system is now telling me that it has to be a RANDOM number! 

Surely 11111111 is as random as any other eight digit number?

I'd say don't worry about retrieving 'phone messages. If it's that important they'll call you back.

quarky

Myranda said:

As one of the staff with password admin rights I just change my password to what I darn well want and it gives me my passwords and subsequently avoid any silly "no, this isn't a passwords of the sort we like, even though our policy is such that Pa$$word1 would count as a strong password, and we've arbitrarily limited you to 16 characters" messages

Similar here. My work password has actually changed twice in over a decade, because I just go in and change it to what it already is (mind you, our main domain\administrator password was one of the seven days of the week (all lowercase, no special characters) for more than a decade too). I share the pain of any users though. I am strongly in favour of @stickyfiddle suggestion, but there are plenty of thicko's in positions of authority in IT. Hence you get people writing passwords on Post It notes and putting it beneath their mouse mats. 

Reverend

We have a few password that have to change ever 45 days. Not sure if it makes things more secure because you end up having to right them down somewhere in order to remember them.

Sporky

HAL9000 said:

Surely 11111111 is as random as any other eight digit number?

It certainly can be. But you can't tell if one number is random or not - you need multiple numbers, or to know how they were derived. If it was "hmm.... ok, let's say 1, then 3, then 8, then 4, then 7, then 2..." and so on then there'll be more patterns and predictability than if you use an online random number generator.

I've switched over to using LastPass to store and generate passwords. The master password is then concealed inside a system that isn't protected by LastPass, in a manner which ought to make it very hard to find, and hard to identify if you do find it.

digitalscream

HAL9000 said:

axisus said:

OK, so I went for the easy option: 11111111. Nope, that got refused. The system is now telling me that it has to be a RANDOM number! 

Surely 11111111 is as random as any other eight digit number?

In a mathematical sense, yes. In a "can somebody guess it?" sense, not really.

CabbageCat

Sporky said:

axisus said:

The system is now telling me that it has to be a RANDOM number!

How is it assessing that? People aren't very good at generating random number sequences.

I remember at school the class did an experiment to show this. Everyone was asked to come up with a "random" list of zeroes and ones, like 20 or something. There are four combinations of pairs of these: 00, 01, 10 and 11, and you would expect a roughly even distribution of both but every single kid in the class had more 01s and 10s than 00s and 11s.

Polarityman illustrated this as well - you would expect about a tenth of those of number pairs to be doubles but there was only one, very low even before he got not-random.

Myranda

CabbageCat said:

Sporky said:

axisus said:

The system is now telling me that it has to be a RANDOM number!

How is it assessing that? People aren't very good at generating random number sequences.

I remember at school the class did an experiment to show this. Everyone was asked to come up with a "random" list of zeroes and ones, like 20 or something. There are four combinations of pairs of these: 00, 01, 10 and 11, and you would expect a roughly even distribution of both but every single kid in the class had more 01s and 10s than 00s and 11s.

Polarityman illustrated this as well - you would expect about a tenth of those of number pairs to be doubles but there was only one, very low even before he got not-random.

even distributions of binary digits and random are not the same thing... in a random number, or even a series of genuinely random numbers I'd expect to not not expect anything

57Deluxe

Thanks for that. Please be sure to repost your random number every 2 months for us so that we may all give you the most appropriate advice  on your choice!

Sporky

Myranda said:

even distributions of binary digits and random are not the same thing... in a random number, or even a series of genuinely random numbers I'd expect to not not expect anything

To some extent it depends what you mean by "random", but assuming we're saying that each digit is selected without reference to any other digit, and without weighting between digits, then over any large sample you should see a lot of repeated digits.

When people generate what they think are random sequences there are usually too few repeated digits, which makes the sequences more predictable and weaker as security measures.

Apple derandomised the track shuffling in iTunes because people noticed a lot of consecutive tracks appearing, and thought it wasn't random. They changed the algorithm to be less random but to produce fewer consecutive tracks and fewer consecutive tracks even from the same album or the same artist. People then thought it was more random...

digitalscream

Sporky said:

Apple derandomised the track shuffling in iTunes because people noticed a lot of consecutive tracks appearing, and thought it wasn't random. They changed the algorithm to be less random but to produce fewer consecutive tracks and fewer consecutive tracks even from the same album or the same artist. People then thought it was more random...

Indeed - there was an experiment years ago where people were asked to choose the most random distribution of dots on a piece of paper. Almost all of them chose the one where the dots were more evenly distributed, whereas the most random one (ie the distribution with the most entropy) was where there were clusters of dots on the page.

Most people think that's counter-intuitive, but it's only so if you don't understand what "random" actually means.

Myranda

Sporky said:

Myranda said:

even distributions of binary digits and random are not the same thing... in a random number, or even a series of genuinely random numbers I'd expect to not not expect anything

To some extent it depends what you mean by "random", but assuming we're saying that each digit is selected without reference to any other digit, and without weighting between digits, then over any large sample you should see a lot of repeated digits.

When people generate what they think are random sequences there are usually too few repeated digits, which makes the sequences more predictable and weaker as security measures.

Apple derandomised the track shuffling in iTunes because people noticed a lot of consecutive tracks appearing, and thought it wasn't random. They changed the algorithm to be less random but to produce fewer consecutive tracks and fewer consecutive tracks even from the same album or the same artist. People then thought it was more random...

But how big was his school class that a 20 digit binary number would show any significant grouping/non-grouping...

The 30 or so numbers could be the most random selection of the million plus combinations possible ... but it might be very easy to make all sorts of assumptions

maltingsaudio

Random number generator for all os

FX_Munkee

digitalscream said:

Sporky said:

Apple derandomised the track shuffling in iTunes because people noticed a lot of consecutive tracks appearing, and thought it wasn't random. They changed the algorithm to be less random but to produce fewer consecutive tracks and fewer consecutive tracks even from the same album or the same artist. People then thought it was more random...

Indeed - there was an experiment years ago where people were asked to choose the most random distribution of dots on a piece of paper. Almost all of them chose the one where the dots were more evenly distributed, whereas the most random one (ie the distribution with the most entropy) was where there were clusters of dots on the page.

Most people think that's counter-intuitive, but it's only so if you don't understand what "random" actually means.

oh, my day job...
Yes, that's the difference between Gaussian/Normal Distribution and Random.
I use the former a lot, to make people think it's the latter

LoFi

Possibly apocryphal, but I was told the original reason for periodic changes of passwords dates from physical security with numeric keypads - give a 4 digit code on a 10 digit pad, if the code wasn't changed regularly, the printed numbers on the keys would wear out, making it far easier to crack the code (this has actually happened in my block of flats).

If there's no indication your account has been compromised, enforcing regular changes of complex passwords is counterproductive, as a number of posters in the thread have pointed out.

CabbageCat

Myranda said:

Sporky said:

Myranda said:

even distributions of binary digits and random are not the same thing... in a random number, or even a series of genuinely random numbers I'd expect to not not expect anything

To some extent it depends what you mean by "random", but assuming we're saying that each digit is selected without reference to any other digit, and without weighting between digits, then over any large sample you should see a lot of repeated digits.

When people generate what they think are random sequences there are usually too few repeated digits, which makes the sequences more predictable and weaker as security measures.

Apple derandomised the track shuffling in iTunes because people noticed a lot of consecutive tracks appearing, and thought it wasn't random. They changed the algorithm to be less random but to produce fewer consecutive tracks and fewer consecutive tracks even from the same album or the same artist. People then thought it was more random...

But how big was his school class that a 20 digit binary number would show any significant grouping/non-grouping...

The 30 or so numbers could be the most random selection of the million plus combinations possible ... but it might be very easy to make all sorts of assumptions

There is a chance that an anticipated non-random pattern is created randomly, yes. The experiment doesn't "prove" anything, it just indicates an extremely strong likelihood of it. You wouldn't need a particularly large sample to hit "extremely strong likelihood".

Myranda

LoFi said:

Possibly apocryphal, but I was told the original reason for periodic changes of passwords dates from physical security with numeric keypads - give a 4 digit code on a 10 digit pad, if the code wasn't changed regularly, the printed numbers on the keys would wear out, making it far easier to crack the code (this has actually happened in my block of flats).

If there's no indication your account has been compromised, enforcing regular changes of complex passwords is counterproductive, as a number of posters in the thread have pointed out.

Given that I've said I don't like the repeated and constant changing of passwords I might sound a little hypocritical to point out that many massive historic cyber intrusions went undetected for days/weeks/months/years including some of the more significant espionage campaigns like Titan Rain (Chinese hackers "probably" state funded hacking into government, military and then industrial computers over years - only noticed by chance after *some time*).

So, periodic password changes *could* stop undetected intrusions that have been quietly data mining without your knowledge. In the case of a (semi) well monitored network that has suffered an undetected intrusion a password change could be followed by an observed drop in traffic which would indicate that some unauthorised users might have been in the system using legitimate accounts... 

Myranda

CabbageCat said:

Myranda said:

Sporky said:

Myranda said:

even distributions of binary digits and random are not the same thing... in a random number, or even a series of genuinely random numbers I'd expect to not not expect anything

To some extent it depends what you mean by "random", but assuming we're saying that each digit is selected without reference to any other digit, and without weighting between digits, then over any large sample you should see a lot of repeated digits.

When people generate what they think are random sequences there are usually too few repeated digits, which makes the sequences more predictable and weaker as security measures.

Apple derandomised the track shuffling in iTunes because people noticed a lot of consecutive tracks appearing, and thought it wasn't random. They changed the algorithm to be less random but to produce fewer consecutive tracks and fewer consecutive tracks even from the same album or the same artist. People then thought it was more random...

But how big was his school class that a 20 digit binary number would show any significant grouping/non-grouping...

The 30 or so numbers could be the most random selection of the million plus combinations possible ... but it might be very easy to make all sorts of assumptions

There is a chance that an anticipated non-random pattern is created randomly, yes. The experiment doesn't "prove" anything, it just indicates an extremely strong likelihood of it. You wouldn't need a particularly large sample to hit "extremely strong likelihood".

Just saying that (assuming 30 school kids) 0.002% of the range is too poor to make any determinations, even of strong/week likelihood