Ask HN: As Non-IT Personnel, How Do You Address Bad IT Policy in the Workplace?

[luckyno13]

I currently work for a state government department, and am also enrolled in a local tech college. Each of these places have, in my opinion, bad policy surrounding passwords. I have contacted the correct people to express concerns, but nothing changes. These passwords protect things akin to your bank account if you bank account also had your tax and SS# information stored there as well.

I am wondering what sort of system the typical IT based business has compared to the bureaucratic setup of a government entity and if there is any advice for making a bigger splash without drowning myself simultaneously.

Things that concern me about the policy -

-Forced changes every 6 months. IMO this has always created an avenue for a person to create weaker passwords as they create them more often.

-The former problem is exacerbated by the fact you cannot reuse passwords. This also concerns me because this means they have my old passwords stored somewhere in the system or else they wouldnt know this.

-In the case of the school, they require exactly 9 characters. This is a good length but why is there a maximum length?

I actually suggested a method by which they could keep this policy if they would just distribute password lockers for folks to use on an official basis. There are so many people here with their passwords stickied to their monitors its scary.

Thanks.

[jeffmould]

Can completely your frustration with government IT policies and at times they are very draconian.

I do disagree with you on the policy of changing every 6 months. While it may promote laziness to some degree in coming up with a strong password, that issue can easily be overcome with policies on length, character types, etc... Forcing password changes on a routine schedule can be a very good security practice though.

As for storing old passwords I have split feelings personally on this. I hate it because I forget sometimes what passwords I have previously used. In my case it was a school and every semester we had to change our password. Since I was a part-time student taking 1-2 classes each semester including summers it meant in some years I would change my password 5-6 times. That meant remembering every password I had ever used. After 2-3 years this became a major headache to me. A better and IMO preferred implementation of this would be to prevent maybe the previous 2 passwords from being reused, but to say you can never use the same password twice regardless of time between uses is just dumb.

On your final note regarding the length issue. While I can't speak for that particular system, it sounds like it may have something to do with some legacy system restriction they have in place that is forcing a constrained length (similar to some banks not allowing special characters in your password).

[mcherm]

I work for a bank -- a place where you would expect to find excellent security practices. And for the most part we DO have excellent security practices. But I have encountered certain areas that have the same kinds of problems you mention around password management: frequent changes required and a maximum length which is not nearly long enough.

I attempted to address it by writing an essay about why this was risky (including links to research) which I published on the internal intranet.

So far my track record is quite poor. I had one person explain why 8-character passwords was the maximum (there was still one machine at the company that ran an OS that could only handle 8-character passwords) and no one seemed interested in changing it.

Make of this what you will.

[julesmarie]

Forcing password changes every 6 months is only bad policy because it isn't forcing you to change more often.

You are better off helping everyone understand the value of a passphrase vs a password.

This xkcd can help - http://xkcd.com/936/

[luckyno13]

My other suggestion to them was a good, required training on how to create passwords/phrases via different methods I have picked up along my way. I tend to keep up with password security theories from here and there, its a sort of a passion of mine considering how integral they are to our lives now days.

I have just always thought the forced changes were unnecessary if the password was strong enough to begin with, and managed in a proper/secure way on the server end. Because it doesnt matter if they password is one day, or 6 years old, the chances are that unless you are high priority, an attack on your password is a here and now event, not a prolonged attack (unless you are a direct target). Even in the event of prolonged attacks, there should be other measures in place to mitigate that avenue of exploit.

My only beef with non forced has been that over time, I feel the tendency for that particular password to be reused on multiple accounts would increase, therefore weakening it.

Like all theories though, I like to keep any open mind to all outlooks, I am by no means an expert. I just know that our policy's make me uncomfortable.