What are your password policies at work?

CAC cards?

At least TWELVE characters, with an upper case and a numeral required somewhere within. Special charcaters ($!, etc) are encouraged. No spaces.

It must be changed every three months, and the new password can NOT be the last password with a numeral changed (i.e. "Password01" cannot be followed by "Password02").

The new password can not be the same as any of your last 13 passwords.

To make it even more fun, we have three separate computer networks (one unclassified and two classified), and I have to have a different password for each (following the same rules). Plus, of course a password for the online time card system (which only requires 6 characters).


Argh.

I ran the trial version of L0ftcrack6 on my network last night. Some users haven't had to change their passwords to come into compliance with the new policies yet. A few days remaining.

Cracked all pwords in under 2 minutes that weren't made with the new policy in place.

I'm seriously considering getting an admin version of the program to run on my network at night and on weekends, to crack weak pwords.

Yeah, I'm that paranoid.

all the passwords are "password"

except mine of course.

It's something unique.

Do you actually use a space or is it all one word like somethingunique ?

7 Characters, must have 3 of the 4 categories (Caps, lower case, numbers and symbols) and is forced to reset every 90 days. Cannot reuse old passwords for something that winds up being about 15 years. Also cannot have any part of your name in it. Sys auto rejects that.

Still need a pin with your CAC, don't you? And the pin is pretty much another password, in a sense.

One time codes are useful for defeating that, apart from adding an extra layer of security they can also salt the hash.

Not looked at implementing them the OS layer yet, but I've used them on the web.

When you say "one time codes" are you talking about the old school cryptography methods of decrypting with a prearranged code? That would be quite proprietary, no?

You have a PIN - say 1343 - and when you go to the login screen you're provided with a generated list of characters - say 'ABCDEFG' - and each number of the pin corresponds with a character.

So in this case the code would be 'ACDC'

I've seen a lot of different iterations of it about, so would be highly surprised if it was meaningfully covered by any copyright or patents.

Plus, prior art exists - albeit in how some agencies would use numeric codes based on letters in books. So you'd get a triple co-ordinate representing each letter (page, row, column), fiendishly difficult to decrypt as without knowing which book you'd be screwed, as the numbers wouldn't be defeated by anything like frequency evaluation.

Since Skin works from home, his password policy is simple yet impenetrable. "Don't touch the fuckin' computer."

Kidding aside, it's 16 characters, alphanumeric, multiple-case.

At my office the rules are 8+ characters, at least one lowercase, one uppercase, and one number. And it has to be different than the last 15 you used. We have to change it every 90 days.

My own policy (for home) is much simpler. For random account I create, I open up KeePass and generate a random password that uses like 20 characters, then I save it (in KeePass). Then I copy & paste it into the signup form.

Later when I want to log in I just use KeePass, or if it is a service I don't really have any personal info on (like some dumb forum perhaps) I will probably just save the password using the browser.

This way all my various accounts have different, long, complicated passwords. I only actually know / remember the passwords for my windows, ubuntu, and email accounts (and of course the password to my KeePass database).

At my work, we have to make a new password every three months. We can't use the same one very often, I can't remember the time frame. I hate it because it gets difficult to keep coming up with new passwords that I'll remember.