The Old Joel on Software Forum: Part 3 (of 5) - Do you want to change it now?

Do you want to change it now?

When I log in to XP Pro at work, we have expiring passwords as part of our "security" policy. I think this is common, but not my gripe.

Since my password is set to expire every 60 days or so, whenever I get down to around 10, I think, it starts asking me every time I log in: "Your password is set to expire in n days. Do you want to change it now?"

Do any of you find this beneficial? It seems like a UI annoyance to me. Why not, when my password HAS expired, make me change it then? Is it designed to harass me into changing my password?

I'm just wondering if I can't figure out the magical benefit this early in the morning.

Dignified
Tuesday, December 2, 2003

Because once it has expired, your account is locked.

I find this message annoying too.

Even more annoying is "security policies" where you can't use the last five (or however many) passwords.

Clearly, this just means I keep changing passwords lots of times ("111111", "222222", etc), until I've entered enough that I can "change" it again, back to the same password as I've used for many years.

Steve Jones (UK)
Tuesday, December 2, 2003

I don't think there is any benefit. Yes it harrasses me. Yes it annoys me. Yes I wait until the last minute to change the password. Why? Because I won't be told what to do by some stupid computer (which is just about the number one HCI no-no).

Tuesday, December 2, 2003

As someone that worked in PC helpdesk.

<snide comment> always wait until VERY last minute. Never have the forethought to change it a few days in advance so you don't get locked over the weekend. This shows good planning on your part and will endear you to the helpdesk as a user worth helping. </snide comment>

Users are losers
Tuesday, December 2, 2003

"will endear you to the helpdesk"

Who cares.

Tuesday, December 2, 2003

I get notices starting about 2 weeks away from the expiry date. The only thing I appreciate is the ability to change the password on a Monday instead of a Friday, so I don't have to spend an hour on hold to the helpdesk because I forgot my password over the weekend (can't use any of the previous 24 passwords, you know...)

Devil's Advocate
Tuesday, December 2, 2003

> Even more annoying is "security policies" where you can't use the last five (or however many) passwords.

> Clearly, this just means I keep changing passwords lots of times ("111111", "222222", etc), until I've entered enough that I can "change" it again, back to the same password as I've used for many years.

That's why some password policies stipulate a *minimum* time before you can change your password again, just to stop you doing this.

Pat Galea
Tuesday, December 2, 2003

I can't argue for or against some of the merits here because I'm ignorant of the statistics to back it up. But it seems to me that these password policies (such as ours, "strong" passwords that must have alpha, numeric AND symbol) just make users write down their password and stick it on their monitor. Surely more security compromises happen that way then through an "easily crackable" 6 character alpha only password. Is that not the case?

I suppose you could argue those same users are probably writing down their easy to remember passwords anyway, so you might as well have them as complex as possible. ;)

Dignified
Tuesday, December 2, 2003

Good reading:

http://www.asktog.com/columns/058SecurityD'ohlts.html

Someone posted it here a bit ago, looks like tog is writing again.

BTW, this dialog makes sense. I log in about once every few days, so if it doesn't warn long enough in advance there's a good chance I'll miss it.

mb
Tuesday, December 2, 2003

Why can't it wait until expiration and then force you to change it on the next login? Why does the account have to get locked out when the date passes, rather than just go into "must change password" mode? I find this irritating as well since I like to change my password on the first day of each quarter.

security newb
Tuesday, December 2, 2003

The thing I hate the most about changing passwords is the braindead account lockout for using the old password.

Without fail, every time I change my password, my account gets locked because of too many failed attempts to authenticate.

Usually, it's because I'm logged in on a remote computer via Terminal Services and naturally that account keeps trying to access resources using my old credentials.

Even when I try to make sure I'm not logged in remotely, I'll have an IE stored password somewhere that is too stupid to prompt me when the stored password has stopped working.

Richard P
Tuesday, December 2, 2003

"Why does the account have to get locked out when the date passes, rather than just go into "must change password" mode?"

That is exactly what I'm talking about. It seems silly that there would be some zero-hour for passwords. What if somebody was on a long vacation, or sabbatical? Maybe it's to get the junior IT/helpdesk people some busy work.

That AskTog article had a lot of good points. I've heard that same car-jacking argument for why fingerprint biometrics on luxury cars were not a good idea. At least now you can hand over your keys without them cutting off your finger.

Dignified
Tuesday, December 2, 2003

Steve Jones,

I'm with you, though I do change my password on my own schedule every year or so.

pdq
Tuesday, December 2, 2003

""Why does the account have to get locked out when the date passes, rather than just go into "must change password" mode?"

That is exactly what I'm talking about. It seems silly that there would be some zero-hour for passwords. What if somebody was on a long vacation, or sabbatical? "

Because that is the way Windows was designed.

Mike
Tuesday, December 2, 2003

I don't mind the advanced warning for having to change my password. It gives my brain advanced notice for having to memorize a new pseudo-random 8+ digit code. I honestly don't think I'd do as well if I changed it the first time it popped up and then went on with my life.

www.MarkTAW.com
Tuesday, December 2, 2003

If you want to change the 14 days you can set PasswordExpiryWarning key under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

WildTiger
Tuesday, December 2, 2003

In my experience, a draconian password policy simply leads to password being written on to post-it notes and affixed to monitors.

AndrewR
Tuesday, December 2, 2003

"Why can't it wait until expiration and then force you to change it on the next login?"

This is exactly what it does. Despite the massive mis-information in this thread, you're not locked out. You're forced to change it.

The prior warnings are so you're not in a situation where you can't easily change it (say, working remote during the weekend, where you have no ability to log into the domain directly, but are indirectly accessing domain resources).

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, December 2, 2003

"In my experience, a draconian password policy simply leads to password being written on to post-it notes and affixed to monitors."

That problem is easily solved by IT staff being aware of the issue and looking for passwords on post-it notes or written on the bottom of the keyboard and lecturing the user about it when they find one. It helps if you drive the point home by telling the user about specific bad things that someone else could do with their password that they'd be blamed for.

Personally, I think the best approach is to require strong passwords, but allow the user to keep the same password for a reasonable length of time. Of course, that still doesn't stop people from whining about how it's hard to remember strong passwords even after you've explained good mnemonic strategies for making passwords that are both strong and easy to remember. Considering that I'm carrying around at least 25 different passwords in my head at any given time and I don't have any great difficulty with this, I don't feel a whole lot of sympathy for folks that whine about having to remember one strong password that they use every day.

Matt Latourette
Tuesday, December 2, 2003

Agreed that draconian policies lead to stupidity. Bu tso do non-draconian policies.

So check it out -- I'm at Los Alamos and am stading next to a highly secured workstation that contains the code used to do the blast simulations. Very hush hush. On the top edge of the CRT is a very conspicuous post-it note that has printed in neat block letters: "THE PASSWORD FOR ROOT IS 'PASSWORD'". So, I start laughing it up when I see this since it's obviously a joke, physicists have a great sense of humor if you didn't know, and the guy whose workstation it is asks what's so funny and I say the post it note. He asks "what's funny about that?" and I explain that I understand it to be a joke since no one would be stupid enough to put the root password on a postit note in plain view of a unsecured hallway, nor choose such a password.

He turned red, and then moved the post-it note so it was no longer visible from the unsecured hallway.

Dennis Atkins
Wednesday, December 3, 2003

It may be a good idea to not put the password under the keyboard in a secure environment, but in the case of most offices, if someone is in the position to read the post-it, they could just as easily walk off with the computer.

I leave the password to my laptop in the top drawer of my desk so I can have the IT folks log in if they need to. Of course I don't put anything on this computer that I woudn't want the company to know about since they own it.

pdq
Wednesday, December 3, 2003

"It may be a good idea to not put the password under the keyboard in a secure environment, but in the case of most offices, if someone is in the position to read the post-it, they could just as easily walk off with the computer."

This assumes that the important data is stored on the local hard drive or that the organization is not using a firewall and NAT. It also involves the naive assumption that an intruder believes that the theft of a computer will not be detected and result in immediate lock-out of the associated accounts. If someone wants to hack your network, odds are they're not going to steal a computer to do it. I think you're also underestimating how easy it is for someone to get physical access to a restricted area long enough to memorize someone's password on a post-it note. In the vast majority of cases, employees will buy into the "Please, oh god, please tell me where the bathroom is" excuse hook, line, and sinker as the visitor/intruder crosses their legs and fidgets.

Matt Latourette
Thursday, December 4, 2003

i fine this topic was not useful because i did not get to change my password.

celine ramgoolam
Sunday, July 11, 2004