h a l f b a k e r y
Birth of a Notion.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
or get an account
Many office systems force their users to
change their passwords on a regular
If I forget my password, it'll always be the
day after I changed it. The new one just
hasn't fixed itself in my brain yet.
In cases when the password has been
changed routinely, rather than to counter
specific security threat, the old
password could remain active for a week
as a background password.
Should a user enter a password wrongly
(three times in a row)
within the first week of a scheduled
password change, they would be taken to
a screen where they can change the new
password to something more
using the old password as
||+, though it wouldn't have helped me when the system made me change my password the day before a two week vacation.
||Not sure if this solves the problem or just defers it for a week or so - if you can't remember the new password, you're just going to keep entering the old one.
From a security perspective, this makes the systems twice as vulnerable, and the kind of person taking advantage of it will likely be picking soft passwords too (eg. name of dog, spouse + year of birth, favourite team etc). Regretfully, a fish.
||swarmi...: Maybe it could be based on
number of successful logins as well as a
longer time period. Maybe not, though.
The longer you extend this, the
greather the risk.
||Doc: You couldn't keep using your old
password as it no longer gets you
access to your files; it is *only* used to
change the access password (which is a
pain to do every morning). Plus, it
would expire. There *is* an increase
in vulnerability by having two
but I'm hoping that making the
password system easier to use will
result in less passwords getting written
||Hmm...I see another problem [dons balaclava]. One try, two tries, 3 tries, enter new password, stolen your account. Granted it depends on having the old password, but it's vulnerable being old...
||It's not that old. You were using to
secure your account only
||That did get me thinking, though.
Maybe this should be a one-shot deal.
You can rescue a password only once
until the next scheduled password
change. This would make any
successful hack more obvious.
||[explanation requested by DocBrown
below]... If you allow the user to reset
the password using this method
multiple times then no alarm bells will
ring if an unauthorised user (who has
managed to get hold of the old
password) does so. The user will just
assume that they've forrgotten the
password again and reset it. This would
give the unauthorised user a whole
week of out-of-hours access to the
||If you restrict the user to a single reset
then the second triple of failed logins
will direct them to a screen telling them
to call IT so that they can reset their
password. If you are security-conscious,
the first question you can ask (reading
back from the log-files) is whether they
reset their password at three the
||The fact that you were using it recently is no bar on it being old - it's at the end of its life is what I meant, where it's adjudged to have become old enough to start being at risk of compromise.
I think this should definitely be a one-shot deal, but I don't see how it makes a successful hack more obvious - explain!
EDIT: Cheers for that [st3f], have changed vote accordingly.
||Another security enhancement for this would be to notify the network administrator whenever the feature was used. Depending on the sensitivity of the situation, the admins could take whatever action was necessary. For example, an automatic email to the person's manager might be about the right level of security and would significantly reduce the amount of time that the network admin would have to spend dealing with forgotten passwords.
||Adding to [scad]'s thought (okay, little divergent) is to allow the password concurrence or overlap to occur only on policy-scheduled password changes but not on un-scheduled changes imposed due to a detected or potential password security breach.
||Maybe you could also choose how you
want to enter your security information.
If they have a palm reader, key pad and
retinal scanner, and depending on the
user you may use one or two of any of
those devices, then outsiders not only
have to match up the user but they have
to match up their possible method of
security info. +
||You can get around problems like this by using a secret ordered list and basing your passwords off items on that list. Combine this with a consistent pattern of capitalization and use of punctuation, and youll have a set of strong passwords that are easy to remember.
||For example, lets say you use the months and the number of days in them. Your passwords could be jAnuary-31, fEbruary-28, mArch-31, aPril-30, and so on. When you get to December, start over it shouldnt be a problem for most systems. If you forget a password, it shouldn't be too hard to figure it out with a few guesses.
||Naturally, this system works best when you use a list that's only known to you -- grade school teachers, ex-flames, etc.
||//Many office systems force their users to change their passwords on a regular basis//
||This idea would not work if the office system changes password every week.