Passwords and security

[Wintonian]

I am able to log in to this forum using a self-chosen user name and a self-chosen password. Both of these are easy for me to remember without writing them down.

And yet...... Throughout the .Net Control Panel and other things on the server system, some misguided programmers have decided that they must dictate that at least one numeric and one non text character MUST BE USED!!
Programmers are given too much power to make this sort of decision. Whilst they are very clever people, generally speaking they are not very experienced in day-to-day business matters and, whilst they may be very good coders, I would not ask one to run a company.

Now I must abandon my favourite password and use a new one which must be WRITTEN DOWN.

Surely, a password that is written on a Post-It note and stuck somewhere near the PC is a well-known problem? Yet the feature that the programmers insist upon almost guarantees that this will happen. So the password will be less secure than my random string of letters (random but memorable).

Only a few companies are not aware of this fact of life. We are not, after all, dealing with bank accounts here!

I find it very irritating.

[IanSmithISA]

Good evening

As a programmer, amongst other things, I can give you an easy solution;

Keep the passwords that you would normally use but always append something like #123^.

So if you want to use fred, jack and jill, they become fred#123^, jack#123^ and jill#123^.

One constant suffix should be easy to remember but it makes manual guessing of passwords very difficult.

Bye

Ian

[Wintonian]

Quote:

Originally Posted by IanSmithISA

Good evening

As a programmer, amongst other things, I can give you an easy solution;

Thanks for that, Ian. This is, of course, the sort of solution that I have adopted. But it is a solution to a problem that need not exist, and that has been created, like so many others, out of an exaggerated fear of password guessing. Many, many on-line pages do not dictate how a password should be formed, knowing that there are many factors that determine the strength of a password. They also take account of the risk: is this a financial facility or merely an email or ftp programme? It is up to an individual to decide for himself the degree of security that he needs. I will listen to advice, but do not wish to be dictated to by someone who is likely to be less qualified than I to know what suits my needs.

People will still use the name of their pet or their children, replacing 'i's and 'l's with '1'. So security does not improve much.

Dual layer passwords, such as is used in on-line banking, gets over the problem without resorting to dictating what words should be used.

It is, unfortunately, a feature of today's world that people are fearful of everything that they don't understand, and they do not question the validity of security measures.

BTW, my son is a programmer and a highly skilled web developer. As you can imagine, we have some interesting discussions!

[IanSmithISA]

Good morning,

Quote:

It is up to an individual to decide for himself the degree of security that he needs

Unfortunately that is not true, with all the T.V. adds for "had some bad happen let xyz solicitors sue someone for you", the U.K.has changed to a culture where it is always someone else's fault.

If my application lets you use CAT as your password and someone else uses your account it is highly likely that someone somewhere will have a go at blaming me for allowing him to do it. If you have a video recorder, try recording the adverts on afternoon TV it's very depressing; "I fell over and got £5K compensation".

By insisting that the password is complex I am protecting myself from that culture. I do find it rather amusing that the result of this is that the same password will be used in many places, stored on a post-it or an application will be used to store every password.

Many people with bad intentions don't try and log onto your account specifically, they don't care that it is you, they just want an account. If everybody used their date of birth it might be hard to log onto your account, but logging on to an account would be trivial.

Bye

Ian

[Wintonian]

Ian, you are right, of course about the 'compensation culture'. But I don't think it is right to allow this to dictate good practice. In a similar way the over-reliance by unthinking companies on so called 'health and safety' policies has created huge inefficiencies in commerce. Mostly, the 'health and safety' rules that are being applied, only exist in the minds of petty officials who don't appear to be able to interpret the actual law correctly. So they make the rules up. (The same thing happened in banking with the 'Anti Money-Laundering Laws'. Banks have now 'Gold Plated' the laws with new rules that are there simply to protect themselves against the incompetence of their own staff.)
Common sense has served well for decades, accidents being inevitable.
I live in Brittany in France and it is refreshing that individuals are not pushed around by bureaucrats. The commonly held view of France is that it has an overblown bureaucracy. And so it has. But in the everyday world people are left to go about their lives without constant harassment by officialdom. Rules are there for guidance and people are expected to use common sense. It seems to work very well. And the compensation culture simply does not exist here. This is one reason why motor insurance premiums are so low, I suppose, together with the fact that vehicle theft is almost unheard of! Brittany has a very low crime rate, so I suppose we are spoiled!
I shall have to accept that programmers will continue to consider themselves subject to the stupidity of the system and live with it.

[IanSmithISA]

Good morning

Quote:

rules that are being applied, only exist in the minds of petty officials who don't appear to be able to interpret the actual law correctly

Living in Brittany may mean that you have missed the latest example of what you refer to.

In order to avoid being fined for employing people who do not have a right to work in the UK, many possibly even most employers are insisting on seeing a birth certificate/passport before employing anybody.

Surprise surprise this isn't what the law said.

Bye

Ian