There are no red flashing lights that go off when someone's account has been hacked. Someone has to be actually looking for illegal activity. A different person using your account with your password using a registered browser would not be detectable at all. Rather than spend all that time looking for something to NOT be happening, it's easier just to get everyone changing their passwords often.Easier for who? I went to the hospital yesterday after not having been there for a while and the system would not let me in because the old password had expired. Because it expired I couldn't change it myself. I spent a half hour on the phone with tech support just to get someone to change it for me. Does anyone actually have any evidence that this crazy system works to reduce unauthorized intrusions? I would guess that most hackers get in and do their dirty work in a short time so changing my password 30 days after they discover it probably isn't going to do much good. Additionally we all have so many passwords for so many systems and the rules are so complex that we all have to have a system for generating new passwords that makes it easy to remember. Most hackers are going to know this and if they figured out our password in the first place they shouldn't have much trouble figuring out the system we use to generate new ones. I'm curious though. Has any one really studied this to see if these cumbersome password policies actually help reduce intrusions? They sure create a lot of headaches.
Maybe what the hospital system needs, Mac, is a multiple tier of accounts. Your first is the standard one. The second with a different password only contains the password for the first in case you forgot it, the third contains the password for the second in case you forgot that, etc. That way, if you ever forget any of them you can go to a lower tier and work your way back up. :lol:
Geez, I shouldn’t have suggested it because our webmasters will probably start instituting it. 
Occam
NOW you tell me. I've been going crazy for years forgetting that damned period and having to go back and correct things. :lol: OccamChange it to "Occamperiod". ;)
I'm curious though. Has any one really studied this to see if these cumbersome password policies actually help reduce intrusions? They sure create a lot of headaches.Really? Have you ever looked at all the settings that are behind your internet connection? Has anyone ever said, "yeah, I could have invented the internet. It was just a good idea waiting for someone stumble upon it." Is Steve Balmer a billionaire for no good reason? Do you think all that effort has gone into making computers more secure and no one thought about how to deal with user names and passwords? Stealing passwords that are the name of your cat is pretty common, so I named my cat TWe45_yupper but I pronounce it "fluffy".
Have you ever looked at all the settings that are behind your internet connection?I have. I used to document Internet gateway commands when I was a tech writer. As far as I can tell from working with programmers and reading about security the only time it is necessary to change your password is immediately after a security breach, which is far more likely on a Windows based server than on one running Linux or Mac OS.
Have you ever looked at all the settings that are behind your internet connection?I have. I used to document Internet gateway commands when I was a tech writer. As far as I can tell from working with programmers and reading about security the only time it is necessary to change your password is immediately after a security breach, which is far more likely on a Windows based server than on one running Linux or Mac OS. Well, we've pretty much sucked the fun out of this one. Depends on what type of security breach. If someone entered the system without using a user's password, then they could obtain said passwords and you'd want to change them. But, if they got a password, without using any sort of machine at all, i.e. through "social engineering" then you would never know there was a breach in the first place. They could use this password for months, learning more and more about the system, or stealing only small amounts of money by creating fake accounts and fake transactions. Accounting wouldn't know because it would look like legitimate data to them. Passwords can also be hacked by trying millions of variations on common words, names of people at the company, or other public information. This can be detected only if someone is watching for unusual traffic from an unknown MAC address. Short words with no caps and only 26 possible characters would obviously be easier. But forget the technical stuff, the question I have is, knowing that this is something people hate, knowing it causes more expense at your help desk, and the people who hate it the most are often the people who are in charge, the ones who could say not to do it, why is everyone doing it? This isn't like magnetic strips on credit cards where there are whole other countries with a better way to do it and we haven't adopted it yet.
I'm curious though. Has any one really studied this to see if these cumbersome password policies actually help reduce intrusions? They sure create a lot of headaches.Really? Have you ever looked at all the settings that are behind your internet connection? Has anyone ever said, "yeah, I could have invented the internet. It was just a good idea waiting for someone stumble upon it." Is Steve Balmer a billionaire for no good reason? Do you think all that effort has gone into making computers more secure and no one thought about how to deal with user names and passwords? Stealing passwords that are the name of your cat is pretty common, so I named my cat TWe45_yupper but I pronounce it "fluffy". I am not saying no one thought about it. I am just wondering if anyone ever checked to see if their ideas accomplished what they hoped it would. One thing I have learned after year in medicine is not to ever trust "common sense" as a guide to implementing procedures or treatments. Lots of things that sound like a good idea end up not working out the way you had hoped when put int practice simply because its difficult to anticipate human behavior accurately and also because we usually have very incomplete knowledge of the systems we are working on. COmputer networks may not be as complex as biological systems but the same principals apply to a lesser extent. All I am saying is never assume anything. Just because something sounds like a good idea ( constantly changing passwords) doesn't necessarily mean it is. Making a longer password that uses many more characters obviously makes the password more difficult to crack. That's a simple mathematical proof. no study required there, although the degree to which it increases security is an entirely different issue that needs to take into account human nature ( ie. when passwords get too complex people tend to write them down rather than memorize them and this may reduce security if these pieces of paper with passwords on them are left in unsecured locations.). Therefor longer passwords may not necessarily be more secure even though the mathematics of the situation would suggest otherwise. Its fine to go on theory if the procedure you are requiring has no down side but in the case of expiring passwords it clearly does. People are more likely to forget their passwords or they may expire between uses requiring a call to tech support. This increases labour costs for those managing the network. It also results in lost productivity as in my case yesterday when I spent a half hour on the phone in front of a computer screen in stead of taking care of the patient I went to see in the hospital. So back to the original question. Has anyone actually studied this to see whether longer passwords and expiring passwords actually increase security and by how much? The how much is important in deciding if the benefit is worth the cost.
But forget the technical stuff, the question I have is, knowing that this is something people hate, knowing it causes more expense at your help desk, and the people who hate it the most are often the people who are in charge, the ones who could say not to do it, why is everyone doing it? This isn't like magnetic strips on credit cards where there are whole other countries with a better way to do it and we haven't adopted it yet.Who says the people managing the system are the ones who hate it the most? I doubt that. The far larger group of people who actually use it hate it one heck of a lot. The people managing the system are more concerned about security than convenience. They're not gong to lose their job because people complain about the password policy. They might lose their job if the system is breached. Given those two options they will opt for a more secure "appearing" password policy even if the policy doesn't actually result in a more secure system. I'm not saying these policies don't result in greater security I am just wondering if there is any proof. If not than these onerous procedures are quite possibly unnecessary.
I'm not saying these policies don't result in greater security I am just wondering if there is any proof. If not than these onerous procedures are quite possibly unnecessary.I don't have any studies, nor do I have a degree that covers computer security, so I can't answer you anymore than I already have. I tried to apply critical thinking in the way I would evaluate claims of a flat earth or a 9/11 conspiracy. That usually gets me by. Anecdotally, I agree with the writing down password thing. We had a laptop computer come back, from a lawyer, and we opened it up and the username and password were taped onto the keypad. Basically a door with the key left in it.
I'm not saying these policies don't result in greater security I am just wondering if there is any proof. If not than these onerous procedures are quite possibly unnecessary.I don't have any studies, nor do I have a degree that covers computer security, so I can't answer you anymore than I already have. I tried to apply critical thinking in the way I would evaluate claims of a flat earth or a 9/11 conspiracy. That usually gets me by. Anecdotally, I agree with the writing down password thing. We had a laptop computer come back, from a lawyer, and we opened it up and the username and password were taped onto the keypad. Basically a door with the key left in it. Ok Thanks. It was just something I had wondered from time to time as I struggled to remember the latest iteration of a password. It would be interesting to know if there is some industry literature on this.
I'm curious though. Has any one really studied this to see if these cumbersome password policies actually help reduce intrusions? They sure create a lot of headaches.Really? Have you ever looked at all the settings that are behind your internet connection? Has anyone ever said, "yeah, I could have invented the internet. It was just a good idea waiting for someone stumble upon it." Is Steve Balmer a billionaire for no good reason? Do you think all that effort has gone into making computers more secure and no one thought about how to deal with user names and passwords? Stealing passwords that are the name of your cat is pretty common, so I named my cat TWe45_yupper but I pronounce it "fluffy". Now that's funny!
I was trying to research this password issue and came across an interesting study of password use. Somehow microsoft claims they got 1/2 million users to agree to “opt-in” to have their password activity monitored for the study. The study is interesting but how they got that many people to opt-in to something like that boggles my mind.
First, they probably put a tiny opt-out button in the middle of all sorts of legalese, then when people missed it, they were opted-in.
Since the only thing I keep on this computer is all my papers on my views of society, politics, ethics, atheism, thinking, etc. I’d be delighted if anyone hacked my computer and copied all of my writing. I figure that’s the only way I’ll ever get anyone to read them. :lol:
Occam
From what I have been hearing, MS would have had better luck with passwords if they went to the NSA. Oh wait, maybe this was to cover an already existing NSA/MS operation. Maybe they don’t know for sure how much information Snowden has.
I can see the reason to change some passwords, say on bank accounts, though I resent being forced to change them on a regular basis. What really drives me crazy is the need to change passwords on things like Scrabble and Apple Apps. What is a hacker going to do with my Scrabble games? Play them for me? I can’t see how anyone could download apps to their own computer using my password, or why they’d want to. As for Apple passwords in general, every time I try to enter one they tell me it is the wrong password, even though I have it written down and it worked the last time I used it. I have many Apple passwords, none of which work. But when I go through their ridiculous system of changing it once again, I can’t use any of the passwords I have used in the past year! As of now, I have no idea which of ten or more passwords i have written down will work–presumably none of them. When I do successfully change my Apple password I get a message that my ICloud password is incorrect. I change it to my new password and when I go back to the App store, I’m told that my new password is incorrect and all I can do is change it and go through the whole asinine, incomprehensible exercise once again. Out of frustration I went into an Apple store to get my Apple password changed so I would have one password for all my Apple accounts. They changed it for me. By the time I got home, about half an hour later, the new password would not work for any Apple program.
Lois
I'm beginning to think the only people they are keeping out of the website are the people who are actually authorized to use it.I'm beginning to think the most secure job in the world is the IT department's existence to reset passwords at $8-$11 each. I know what my 'retirement' job will be. :smirk:
I can see the reason to change some passwords, say on bank accounts, though I resent being forced to change them on a regular basis. What really drives me crazy is the need to change passwords on things like Scrabble and Apple Apps. What is a hacker going to do with my Scrabble games? Play them for me? I can't see how anyone could download apps to their own computer using my password, or why they'd want to. As for Apple passwords in general, every time I try to enter one they tell me it is the wrong password, even though I have it written down and it worked the last time I used it. I have many Apple passwords, none of which work. But when I go through their ridiculous system of changing it once again, I can't use any of the passwords I have used in the past year! As of now, I have no idea which of ten or more passwords i have written down will work--presumably none of them. When I do successfully change my Apple password I get a message that my ICloud password is incorrect. I change it to my new password and when I go back to the App store, I'm told that my new password is incorrect and all I can do is change it and go through the whole asinine, incomprehensible exercise once again. Out of frustration I went into an Apple store to get my Apple password changed so I would have one password for all my Apple accounts. They changed it for me. By the time I got home, about half an hour later, the new password would not work for any Apple program. LoisWhenever my iphone updates, I have to reset my At&t password on my phone...which I've usually forgotten since my computer 'remembers' it, so I have to go through the tedious task of resetting my At&t password, and it is extremely picky as to what it accepts. I am pretty sure I have this one memorized, but it won't work for my phone.... >:-(
First, they probably put a tiny opt-out button in the middle of all sorts of legalese, then when people missed it, they were opted-in. Since the only thing I keep on this computer is all my papers on my views of society, politics, ethics, atheism, thinking, etc. I'd be delighted if anyone hacked my computer and copied all of my writing. I figure that's the only way I'll ever get anyone to read them. :lol: Occam:lol:
I’d be rather upset if someone hacked into my computer. They might steal all my game save files and GMing notes. It would be a huge, time consuming pain in the coccyx to replay/write all that. Grodd knows I don’t have any money in my bank account (or my passwords for that on my hard drive.)