There are six quarters in a year?
Apache

You could hack most of the USAF's passwords after you've been in for about a year. There are certain tricks that we all use to remember our passwords, it's just finding that starting point that is key. lol

The six refers to Rands policy, we have the quarterly one.

I missed this article last time around. Funny part is we were just talking about this at work.

We have a new hire who started today who leaned into my office and says "psst. Hey can I ask you a question- keeping in mind I am not trying to sound like an ----ole?"
"sure" i said.
"Okay, seriously now- how many @!#% passwords can I expect to have? I get on the call and I get my HR password, then in orientation I get my Sales password, then I get my Product Center password, my (company censored) password, Citrix password, my Salesforce.com password, and my Aetna password. Are we even close to done? I have another call in 40 min and I am sitting here wondering what the @!#%"

I smirk and wave him in and around my desk, where I pull up an encrypted worksheet that I have hidden in plain sight on my desktop - complete with a fake icon label.

It opens and he says "HOLY !%@# what is that?"
I say "THAT my new friend, is what 27 system passwords look like, not including the 3 it takes to log in which I remember"



He was seriously deer in headlights at that point. I love picking on people who have a firehose full of information in their mouth spraying all wildly.

So anyways- I always game my passwords so that I end up spending half the day memorizing them. If I can remember them after I invent them, I get paranoid and try to do something more original. Ironically, I only have to refer to that password sheet a few times a month when a system I never log into needs my attention.

The password changing is the main thing I disagree with in the security community. Being a CISSP myself I understand it's goes against everything there are teaching, but what they don't realize is the most important thing is creating a strong password. Changing the password on a constant basis doesn't make an account more secure it only creates a natural reaction in the user community, animosity. This directly negates what they are trying to do which is make the user account more secure. It frustrates users and increases the chance of them leaving a written password laying around the computer area. If they would use some common sense, enforce strong passwords and backoff the frequency of password changing I think they would find they would decrease frustration and retain a level of security they are trying to obtain.

If you guys think your password restrictions are fun, you should try the DoD communities policy. The same password requirements we've been talking about here, plus 14 length passwords in some cases and changing it every 64 days with a password history of 12 to 24 of the last passwords remembered and an added bonus of having to make at least 3 characters different.

The password protecting Druidia's precious atmosphere is 12345, and dangit, that's good enough for me.

-Rand

I'm surprised they don't use RSA tokens?

Personal Certificates are required in the unclassified .mil community via smart cards and readers, but the DoD contractors haven't caught up with that.

Correction, also used with sensitive and certain classified documents now as well. With the move to sharepoint came a lot of this stuff.

YouTube - Broadcast Yourself.

LOL, agreed, I just try not to mention what our other community is doing