Difference between revisions of "Talking Passwords"

From MicroFocusInternationalWiki
Jump to: navigation, search
(Undo revision 21789 by 137.65.227.74 (talk))
 
(11 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
[[Category:Open Enterprise Server]]
 +
[[Category:Security and Identity]]
 +
 
<h1>Talking Passwords</h1>
 
<h1>Talking Passwords</h1>
 
===what is this page for?===
 
===what is this page for?===
  
 
The idea of the page is to address password issues around universal passwords.  Specifically;
 
The idea of the page is to address password issues around universal passwords.  Specifically;
<h4>A: What considerations are there for password policies? What are your policies? ''(dont use your company name)''</h4>
+
<h4>A: What considerations are there for password policies? What are your policies? ''(Please don't use your company name)''</h4>
 
<h4>B: Ideas for challenge/response questions and the potential downfall of these solutions?</h4>
 
<h4>B: Ideas for challenge/response questions and the potential downfall of these solutions?</h4>
 
<h4>C: Implementation considerations</h4>
 
<h4>C: Implementation considerations</h4>
Line 9: Line 12:
 
I hope it will be of use for people thinking of implementing universal passwords, like me!
 
I hope it will be of use for people thinking of implementing universal passwords, like me!
 
===what is not for===
 
===what is not for===
This is not a support site either cool solutions or the forums should be used for that purpose
+
This is not a support site. Please use either Cool Solutions or the Novell Support Connection forums for that purpose.
 
===who started it===
 
===who started it===
Me --[[User:Pfallon|Pfallon]] 04:19, 25 May 2005 (MDT), I've never made a Wiki before, or a webpage for that matter.  I started it as i wanted to contribute to Novell’s Wiki, learn how they are used and answer the questions that this page poses.
+
Me --[[User:Pfallon|Pfallon]] 04:19, 25 May 2005 (MDT), I've never made a Wiki before, or a webpage for that matter.  I started it as i wanted to contribute to Novell's Wiki, learn how they are used and answer the questions that this page poses.
feel free to reformat, add to and remove content as you see fit as long as we keep to what the page is for it doesn’t matter.
+
 
 +
Feel free to reformat, add to and remove content as you see fit as long as we keep to what the page is for it doesn't matter.
 
===how to use the page===
 
===how to use the page===
n''ot sure yet...   please use and edit the discussion page as well as the article page, there is good content on both!''
+
Not sure yet... Please use and edit the discussion page as well as the article page, there is good content on both!''
 
===Question===
 
===Question===
  
At some-Cola UK company we are about to roll out universal passwords but to plagiarise other people’s ideas on passwords.
+
At some-Cola UK company we are about to roll out universal password and wish to plagiarise other people's ideas on passwords, and contribute the collective knowledge
  
 
Our current policy is 6 characters, 42 days reset, no duplicates and 6 grace logins
 
Our current policy is 6 characters, 42 days reset, no duplicates and 6 grace logins
Line 23: Line 27:
 
Now we can be clever with advanced universal password rules we want to provide a better level of password security without creating more helpdesk calls due to over complex policies.
 
Now we can be clever with advanced universal password rules we want to provide a better level of password security without creating more helpdesk calls due to over complex policies.
  
So we don’t want a 26 character, dictionary proof password with at least 7 forms of punctuation 3 capital letters and 5 digits that needs to change daily and never repeat, ever.
+
So we don't want a 26 character, dictionary proof password with at least 7 forms of punctuation 3 capital letters and 5 digits that needs to change daily and never repeat, ever.
  
 
Nor do we want people to use cola as their password.
 
Nor do we want people to use cola as their password.
Line 29: Line 33:
 
====='''Q:  What is the best mix of security and complexity, what is your policy?'''=====
 
====='''Q:  What is the best mix of security and complexity, what is your policy?'''=====
  
We want to use self service password resets, by getting users to answer a set of questions that can be used to reset all passwords within the meta-directory. However, most suggestions I’ve had are either;  
+
We want to use self service password resets, by getting users to answer a set of questions that can be used to reset all passwords within the meta-directory. However, most suggestions I've had are either;  
 
Obscure i.e. what did you have for lunch on January 12 1982  or
 
Obscure i.e. what did you have for lunch on January 12 1982  or
 
Obvious  i.e. what colour is your hair?  
 
Obvious  i.e. what colour is your hair?  
Line 37: Line 41:
 
Thanks in-advance
 
Thanks in-advance
  
I would recommend a mix of 4 or 5 questions (make 2 out 5 or 3 out of 5 the required) this should allow for a broad enough mix that everyone should be able to use without trying to find the "one magic question" that works on everyone/everywhere/everytime (although if someone out there has found ... PLEASE POST IT... heh heh). The best one's that I've ever seen are some of the popular standbys
 
  - What's your mother's name ? (Leaving it somewhat nondescript
 
    allows folks to use last, middle, first, even MOM or Mother)
 
  
  - Where were you born/raised ? (Everyone should know one of the
 
    two. And if the answer text is not too bound by logic {ie just
 
    match the text}, you could even go with the nonsensical "right
 
    next to my mother")
 
  - What was your first pet ? (Before everyone jumps in with "Not
 
    everyone has had a pet" remember that it's a mix, you have to
 
    choose 3 out of 5 to answer. So skip this one or answer {as I've
 
    seen some users do} with "a rock" or "tv")
 
 
Mix these with at least one free form or "blank" question that's made up by (and answered by) the user. (I admit this can sometimes be a two edged sword, you would NOT beleive how many will use a profanity of some sort. But I still think it outweighs the downside.)
 
 
As far as actual passwords go, I usually recommend to our end users that they use a meaningful phrase (without the spaces or punctuation). Usually when it's a legitimate phrase, they can remember something longer than "just a password". Some of the better ones I've heard of are "mysonis12", "mysonjimmygoestops12", "iwantaraise", etc.
 
I would caution your users about using profanity though, I was once working on a machine and needed to signon as the user to help diagnose the issue. The young lady turned every color red as she told me her password, a particulary profane phrase with her boss' name in it as the subject.
 
Hope this helps.
 
  
 
===Links===
 
===Links===
Line 69: Line 56:
 
===Forgotten Password question ideas (Challenge Response)===
 
===Forgotten Password question ideas (Challenge Response)===
  
Questions shouldn't be dependant on time, i.e. talk about current things (cars pets etc) or last times (last holiday, last car) as these change with time and the challenges don’t. Questions should also be answerable by all where possible to avoid answers of "N/A".  
+
Questions shouldn't be dependant on time, i.e. talk about current things (cars pets etc) or last times (last holiday, last car) as these change with time and the challenges don't. Questions should also be answerable by all where possible to avoid answers of "N/A".  
  
In an office situation it is likely you share things about yourself with your colleagues and they generally can see what you look like from a staff directory, and what is on your desk if they so wish so questions should be tailored to protect against this in some way.
+
In an office situation it is likely you share things about yourself with your colleagues and they generally can see what you look like from a staff directory, and what is on your desk if they so wish, so questions should be tailored to protect against this in some way.
  
  
Line 79: Line 66:
  
 
'''What is your favourite colour?'''
 
'''What is your favourite colour?'''
I disagree with this, becouse there five or six possible answer and is ease to guess.
+
''I disagree with this, becouse there five or six possible answer and is ease to guess.''
  
 
'''If you could meet someone from history, who would it be?'''
 
'''If you could meet someone from history, who would it be?'''
Line 86: Line 73:
  
 
'''What is your least favourite film of all time?'''
 
'''What is your least favourite film of all time?'''
 
'''What is your fathers first name?'''
 
  
 
'''Name a memorable place'''
 
'''Name a memorable place'''
 +
''Too vague - people don't easily remember 'memorable' places''
  
 
'''Name a memorable date'''
 
'''Name a memorable date'''
 +
''Also too vague''
  
 
'''Where were you born?'''
 
'''Where were you born?'''
 +
''Whether this is good or not may depend on the country/region where you are. For example in Luxembourg, there are only 3 or 4 cities were typically people get born and for most it is Luxembourg (city) anyway. The case of Luxembourg is of course extreme, but there may be other places which may present similar patterns, e.g. most people being born in one of the same few cities.''
  
 +
'''What is the name of the primary school you attended?'''
 +
''Quite easy to research - try a website like friendsreunited.com''
 +
 +
'''What is your father's first name?'''
 +
''Too easy to research''
 +
 +
'''What is your mother's first name?'''
 +
''Too easy to research''
 +
 +
'''Where were you at midnight on the 2000 Millenium?'''
 +
 +
'''Airline Loyalty Card Number?'''
 +
''(on the downside, not everyone has one)''
 +
 +
'''Cell phone IMEI number - key *#06# on any phone to get this'''
 +
''(on the downside, not everyone has one)''
 +
 +
'''Think of things that people carry around with them that have codes on them - have you anything unique on the back of your company ID badge?  I know we do!'''
 +
 +
'''First name of your first kiss!'''
  
 
====''Questionable questions''====
 
====''Questionable questions''====
These type of questions may be fine for some enviroments but could cause problems in others.  On the other hand they could just be plain dumb.
+
These type of questions may be fine for some environments but could cause problems in others.  On the other hand they could just be plain dumb.
  
  
Line 107: Line 115:
 
|-  
 
|-  
 
|'''What is your shoe size?'''
 
|'''What is your shoe size?'''
|too easy to guess as male shoe size range is small that many options? / shoe's left in the gym
+
|Too easy to guess as male shoe size range is small that many options? / shoes left in the gym
  
 
|-  
 
|-  
 
|'''What is your inside leg measurement?'''
 
|'''What is your inside leg measurement?'''
|do most people know this?
+
|Do most people know this?
  
  
 
|-  
 
|-  
 
|'''What is your payroll id?'''
 
|'''What is your payroll id?'''
|written on your staff ID card?
+
|Written on your staff ID card?
  
 
|-
 
|-
 
|'''What is your mortgage/rent payment per month?'''
 
|'''What is your mortgage/rent payment per month?'''
|too personal?
+
|Too personal?
  
 
|-  
 
|-  
 
|'''What colour are your partner's eyes?'''
 
|'''What colour are your partner's eyes?'''
|not everyone has a partner!
+
|Not everyone has a partner!
  
 
|-  
 
|-  
 
|'''What is your mother's maiden name?'''
 
|'''What is your mother's maiden name?'''
|various Geneology databases hold lists of marrages and and maiden names ''(perhaps being a little paranoid here?)''
+
|Various Geneology databases hold lists of marriages and maiden names ''(perhaps being a little paranoid here?)''
  
 
|-  
 
|-  
 
|'''What is your favourite beverage?'''
 
|'''What is your favourite beverage?'''
|'''there is only one answer in my company, may be ok in yours? :)'''
+
|'''there is only one answer in my company, may be OK in yours? :)'''
  
 
|-  
 
|-  
 
|'''What was your high school mascot?'''
 
|'''What was your high school mascot?'''
|Is this an American thing? if so could be fine for a US workforce
+
|Is this an American thing? If so could be fine for a US workforce
  
 
|-  
 
|-  
Line 144: Line 152:
 
|-  
 
|-  
 
|'''What are the last 4 digits of your social security number?'''
 
|'''What are the last 4 digits of your social security number?'''
|Another American thing? if so could be fine for a US workforce, or wored to include another companies equivilent
+
|Another American thing? if so could be fine for a US workforce, or worked to include another company's equivalent
  
 
|-
 
|-
Line 156: Line 164:
  
 
|-
 
|-
|'''What is the third letter of your home address(street name)?'''
+
|'''What is the third letter of your home address (street name)?'''
 
|This can change in time
 
|This can change in time
  
Line 165: Line 173:
 
|-
 
|-
 
|'''Where was youe last holiday destination?'''
 
|'''Where was youe last holiday destination?'''
| Changes with time and is talked about in the office
+
|Changes with time and is talked about in the office
  
 
|-
 
|-
 
|'''what is your favourite sports team?'''
 
|'''what is your favourite sports team?'''
|talked about, everywhere
+
|Talked about, everywhere
  
 
|-
 
|-
Line 177: Line 185:
 
|-
 
|-
 
|'''How many children do you have?'''
 
|'''How many children do you have?'''
|not all of us have children and most poeple have 2.2 anyway
+
|Not all of us have children and most poeple have 2.2 anyway

Latest revision as of 13:49, 16 March 2015


Talking Passwords

what is this page for?

The idea of the page is to address password issues around universal passwords. Specifically;

A: What considerations are there for password policies? What are your policies? (Please don't use your company name)

B: Ideas for challenge/response questions and the potential downfall of these solutions?

C: Implementation considerations

I hope it will be of use for people thinking of implementing universal passwords, like me!

what is not for

This is not a support site. Please use either Cool Solutions or the Novell Support Connection forums for that purpose.

who started it

Me --Pfallon 04:19, 25 May 2005 (MDT), I've never made a Wiki before, or a webpage for that matter. I started it as i wanted to contribute to Novell's Wiki, learn how they are used and answer the questions that this page poses.

Feel free to reformat, add to and remove content as you see fit as long as we keep to what the page is for it doesn't matter.

how to use the page

Not sure yet... Please use and edit the discussion page as well as the article page, there is good content on both!

Question

At some-Cola UK company we are about to roll out universal password and wish to plagiarise other people's ideas on passwords, and contribute the collective knowledge

Our current policy is 6 characters, 42 days reset, no duplicates and 6 grace logins

Now we can be clever with advanced universal password rules we want to provide a better level of password security without creating more helpdesk calls due to over complex policies.

So we don't want a 26 character, dictionary proof password with at least 7 forms of punctuation 3 capital letters and 5 digits that needs to change daily and never repeat, ever.

Nor do we want people to use cola as their password.

Q: What is the best mix of security and complexity, what is your policy?

We want to use self service password resets, by getting users to answer a set of questions that can be used to reset all passwords within the meta-directory. However, most suggestions I've had are either; Obscure i.e. what did you have for lunch on January 12 1982 or Obvious i.e. what colour is your hair?

Q: What are good questions to ask users, what you do you ask them?

Thanks in-advance


Links


Pass Phrases vs. Passwords http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx

Discussion on writing down your password.. http://it.slashdot.org/it/05/05/24/2047228.shtml?tid=172

sites which allow you to find out information that could be used to answer challenge question, Beware! http://friendsreunited.co.uk

Forgotten Password question ideas (Challenge Response)

Questions shouldn't be dependant on time, i.e. talk about current things (cars pets etc) or last times (last holiday, last car) as these change with time and the challenges don't. Questions should also be answerable by all where possible to avoid answers of "N/A".

In an office situation it is likely you share things about yourself with your colleagues and they generally can see what you look like from a staff directory, and what is on your desk if they so wish, so questions should be tailored to protect against this in some way.


Good questions

These are questions i cant find fault with, if you disagree feel free to edit the wiki!


What is your favourite colour? I disagree with this, becouse there five or six possible answer and is ease to guess.

If you could meet someone from history, who would it be?

Where did you go on your first holiday?

What is your least favourite film of all time?

Name a memorable place Too vague - people don't easily remember 'memorable' places

Name a memorable date Also too vague

Where were you born? Whether this is good or not may depend on the country/region where you are. For example in Luxembourg, there are only 3 or 4 cities were typically people get born and for most it is Luxembourg (city) anyway. The case of Luxembourg is of course extreme, but there may be other places which may present similar patterns, e.g. most people being born in one of the same few cities.

What is the name of the primary school you attended? Quite easy to research - try a website like friendsreunited.com

What is your father's first name? Too easy to research

What is your mother's first name? Too easy to research

Where were you at midnight on the 2000 Millenium?

Airline Loyalty Card Number? (on the downside, not everyone has one)

Cell phone IMEI number - key *#06# on any phone to get this (on the downside, not everyone has one)

Think of things that people carry around with them that have codes on them - have you anything unique on the back of your company ID badge? I know we do!

First name of your first kiss!

Questionable questions

These type of questions may be fine for some environments but could cause problems in others. On the other hand they could just be plain dumb.


Question potential issue
What is your shoe size? Too easy to guess as male shoe size range is small that many options? / shoes left in the gym
What is your inside leg measurement? Do most people know this?


What is your payroll id? Written on your staff ID card?
What is your mortgage/rent payment per month? Too personal?
What colour are your partner's eyes? Not everyone has a partner!
What is your mother's maiden name? Various Geneology databases hold lists of marriages and maiden names (perhaps being a little paranoid here?)
What is your favourite beverage? there is only one answer in my company, may be OK in yours? :)
What was your high school mascot? Is this an American thing? If so could be fine for a US workforce
What was the name of your first pet? not everyone has or has had a pet (believe it or not)
What are the last 4 digits of your social security number? Another American thing? if so could be fine for a US workforce, or worked to include another company's equivalent
What is your Fathers middle name? Not all have a middle name and middle names often becomes sons first name


What was your first car/bike? Not all had a car or bike
What is the third letter of your home address (street name)? This can change in time
How long have you lived at your current address? This changes in line with the time!
Where was youe last holiday destination? Changes with time and is talked about in the office
what is your favourite sports team? Talked about, everywhere
Favourite Food? there is only one answer in my company, may be ok in yours? :)
How many children do you have? Not all of us have children and most poeple have 2.2 anyway