Password Complexity, Good or bad?

scottalanmiller

@Dashrender said:

@travisdh1 said:

@Dashrender said:

if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.

Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.

While it might socially reduce it, how does it actually reduce the number? By socially I mean that users will do $ocial instead of $social because they (the user) wants it to be easier to remember. But that is on the user, not the system.

Forcing "complexity" itself is a social thing.

I think this actually made me realize what the problem is... no complexity is added. No complexity is checked. Using the term complexity itself is marketing and extremely misleading.

If the system was complexity checking, it would be looking at the size of the set, not that random pieces of different human visible sets are selected. It's not checking complexity, calling it that is a means of socially engineering end users to "feel better" about something that isn't true. It sounds nice, it helps them sleep at night, but it's not more complex at all.

scottalanmiller

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?

Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.

The company is providing a phone, then that is an expnse the company has taken on to handle it. Again that makes it not free, which is the entire point, you stated 2FA is free and it is not.

Sure, and that's what I said, if we are assuming that things like phones, desktops, etc. are not already paid for then the 2FA is not free. We provide phones without 2FA, though. So if we did 2FA on them, 2FA is free.

This gets into the "the word free is useless" category. Like my friends who say that food can't be free unless someone else eats and poops it for you (real conversation where they disputed free software because you were still required to operate it.) It's free to the way that humans mean to use the term free... it itself incurs no cost outside of the use of it.

Dashrender

@scottalanmiller said:

This gets into the "the word free is useless" category. Like my friends who say that food can't be free unless someone else eats and poops it for you (real conversation where they disputed free software because you were still required to operate it.) It's free to the way that humans mean to use the term free... it itself incurs no cost outside of the use of it.

LOL I remember that conversation!

JaredBusch

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?

Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.

The company is providing a phone, then that is an expnse the company has taken on to handle it. Again that makes it not free, which is the entire point, you stated 2FA is free and it is not.

Sure, and that's what I said, if we are assuming that things like phones, desktops, etc. are not already paid for then the 2FA is not free. We provide phones without 2FA, though. So if we did 2FA on them, 2FA is free.

This gets into the "the word free is useless" category. Like my friends who say that food can't be free unless someone else eats and poops it for you (real conversation where they disputed free software because you were still required to operate it.) It's free to the way that humans mean to use the term free... it itself incurs no cost outside of the use of it.

The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.

@Dashrender stated that cost is the factor, and I agreed while you stated it could be free.

Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.

The context of all IT decisions have to be based on the business.

scottalanmiller

@JaredBusch said:

The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.

Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.

Agreed, but I've seen several SMBs in a number of spaces that either require the use of your existing phones or provide them. Sure many don't or won't, but many don't care about 2FA either.

JaredBusch

@scottalanmiller said:

@JaredBusch said:

The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.

Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.

Agreed, but I've seen several SMBs in a number of spaces that either require the use of your existing phones or provide them. Sure many don't or won't, but many don't care about 2FA either.

Absolutely. I know of several myself. But that is far from even a large minority of the SMB I am personally familiar with. I am quite comfortable with my statement above that Most SMB do not.

scottalanmiller

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.

Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.

Agreed, but I've seen several SMBs in a number of spaces that either require the use of your existing phones or provide them. Sure many don't or won't, but many don't care about 2FA either.

Absolutely. I know of several myself. But that is far from even a large minority of the SMB I am personally familiar with. I am quite comfortable with my statement above that Most SMB do not.

I agree, most do not. But I think that those mostly overlap with those that aren't looking for 2FA, too.

Dashrender

I have a scenario going on right now.

A local hospital is deploying 2FA to all offsite personal who access their systems. They offer two choices for 2FA

1. when you log in, your default phone number will be called, you press 1 to indicate that you did log in, and the system allows you in.
2. you are provided a key fob and type the number when prompted.

Option 1 assumes that there is a direct phone number to you - be that a DID to a phone in your office, or a cell phone.

Management in my office denied this option because they are of the opinion that personal phones can't be demanded to be used for work without paying the employee for phone use (even though it amounts to $5 or less per month, employees would undoubtly try to get something ridiculous like 50% of the phone bill paid for - so management just said no)

This unexpected refusal by my office to use phones as 2FA means the hospital has to purchase and support 80+ key fobs for my office alone. They have a near countless number of offices that have remote access to their systems. I'm sure the cost of key fobs is what has stalled this project.

DustinB3403

@Dashrender I would agree with management on this as well. If they aren't already paying for employees phones, it's much easier to manage a keyfob and access that way.

But it makes the employee have to keep track of 1 more item. But the headache of managing cell phones for as many people as you're describing seems to be way more painful.

scottalanmiller

@Dashrender said:

I have a scenario going on right now.

A local hospital is deploying 2FA to all offsite personal who access their systems. They offer two choices for 2FA

1. when you log in, your default phone number will be called, you press 1 to indicate that you did log in, and the system allows you in.
2. you are provided a key fob and type the number when prompted.

Option 1 assumes that there is a direct phone number to you - be that a DID to a phone in your office, or a cell phone.

Management in my office denied this option because they are of the opinion that personal phones can't be demanded to be used for work without paying the employee for phone use (even though it amounts to $5 or less per month, employees would undoubtly try to get something ridiculous like 50% of the phone bill paid for - so management just said no)

This unexpected refusal by my office to use phones as 2FA means the hospital has to purchase and support 80+ key fobs for my office alone. They have a near countless number of offices that have remote access to their systems. I'm sure the cost of key fobs is what has stalled this project.

Part of the issue here is that this is for non-employee access. We assume, to some degree, that employees have some amount of company provided equipment already. But non-employees, that's no longer a reasonable assumption.

Dashrender

@DustinB3403 said:

@Dashrender I would agree with management on this as well. If they aren't already paying for employees phones, it's much easier to manage a keyfob and access that way.

But it makes the employee have to keep track of 1 more item. But the headache of managing cell phones for as many people as you're describing seems to be way more painful.

Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.
those who don't have a cell phone, we'll provide a fob.

But even if we did go so far as to pay employees for cell phone use, we should just pay them a pure stipend of $5-10 a month. If someone wants to contest how much we are costing them.. I would encourage them to bring in their phone bill and we could sit down and figure the cost the employee was incurring because of these phone calls. Often it would be zero because the employees have huge number min plans and the added use of 20 or less mins a month wouldn't even be noticed... but even if you skip the flat rate large mins setup.. and simply say bill divided by mins (which is unfair to the employer because most of them have data and it wouldn't take data usage into account) and figured a per min value, I suppose it's possible, even likely that the above stated 20 mins would be more expensive than $10 a month... but all other caveats still apply and really don't make that a business tenable setup.

Dashrender

@scottalanmiller said:

Part of the issue here is that this is for non-employee access. We assume, to some degree, that employees have some amount of company provided equipment already. But non-employees, that's no longer a reasonable assumption.

From a hospital perspective, sure. But those staff do work somewhere, otherwise they wouldn't have access at all. And that other employer is providing some equipment, in this case the PCs.. not the phones or any phone stipend.

stacksofplates

@Dashrender said:

@DustinB3403 said:

@Dashrender I would agree with management on this as well. If they aren't already paying for employees phones, it's much easier to manage a keyfob and access that way.

But it makes the employee have to keep track of 1 more item. But the headache of managing cell phones for as many people as you're describing seems to be way more painful.

Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.
those who don't have a cell phone, we'll provide a fob.

But even if we did go so far as to pay employees for cell phone use, we should just pay them a pure stipend of $5-10 a month. If someone wants to contest how much we are costing them.. I would encourage them to bring in their phone bill and we could sit down and figure the cost the employee was incurring because of these phone calls. Often it would be zero because the employees have huge number min plans and the added use of 20 or less mins a month wouldn't even be noticed... but even if you skip the flat rate large mins setup.. and simply say bill divided by mins (which is unfair to the employer because most of them have data and it wouldn't take data usage into account) and figured a per min value, I suppose it's possible, even likely that the above stated 20 mins would be more expensive than $10 a month... but all other caveats still apply and really don't make that a business tenable setup.

Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).

scottalanmiller

@Dashrender said:

Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.

How far does that go? They have to provide a car, computer, etc.? It's a tough one, and it crosses legal lines if you have to protect data. For purely 2FA if the call is fully free, it's not bad. But do you really limit it to those times, and make sure you never interrupt them while sleeping, travelling, vacation, etc.? It introduces a lot of issues.

While I know that nearly everyone does it, I don't like it. Or as an option, never as a requirement.

scottalanmiller

@johnhooks said:

Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).

That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."

You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.

If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?

Dashrender

@scottalanmiller said:

@Dashrender said:

Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.

How far does that go? They have to provide a car, computer, etc.? It's a tough one, and it crosses legal lines if you have to protect data. For purely 2FA if the call is fully free, it's not bad. But do you really limit it to those times, and make sure you never interrupt them while sleeping, travelling, vacation, etc.? It introduces a lot of issues.

While I know that nearly everyone does it, I don't like it. Or as an option, never as a requirement.

I suppose I could easily be convinced to make it optional, but if you choose to use your own device, you're getting no money from me.

Can I ensure the phone won't be calling them while sleeping/travelling/vacation - yeah, assuming they aren't trying to log in during those times LOL. Yes it would be limited to 2FA only.

Currently the staff, on their own - just like at any business - are using their phones to talk to each other either voice or text all the time. In fact they use it when it's completely inappropriate at time - like texting patient information. Short of employment contract saying that we can monitor their self provided phones, we can't really stop it.

Dashrender

@scottalanmiller said:

@johnhooks said:

Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).

That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."

You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.

If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?

This is a hard one for me.. I see both sides of this fence. I'm not sure which way is right. I suppose a contract would be needed to clarify it.

stacksofplates

@scottalanmiller said:

@johnhooks said:

Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).

That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."

You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.

If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?

That's not comparable. These were homes who lost TV service for 30 minutes.

If you know you could lose $5 million in 5 minutes, you would have some kind of secondary system in place and not rely on a home cable service.

If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?

Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.

scottalanmiller

@johnhooks said:

That's not comparable. These were homes who lost TV service for 30 minutes.

If you know you could lose $5 million in 5 minutes, you would have some kind of secondary system in place and not rely on a home cable service.

It's very comparable. What if they pay for television specifically for the show that was on at that time and the rest of the month you just pay because it is the only way to get that one show.

How is it any different? If you pay for a service for a purpose and it does not fulfil the purpose, should you have to pay? That's up to the SLA, of course. But the question is, you buy X they provide Y. Someone on the outside can claim that Y is equal, better or good enough, but that's an emotional reaction to how they would use X, not how the purchaser intended it.

What if I get power that never goes off during the day but often goes out at night... when I need my CPAP to work. I'm paying the same power as people who are home during the day, but I need it at night. Would you say "well, but they need it during the day so you don't need it at night?"

Dashrender

@johnhooks said:

Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.

But to Scott's point, those 30 mins are much more important than say 30 mins during the middle of the night (or whenever the customer is sleeping/not using the system).

Assuming the average house hold has the TV on from 5 PM - 11 PM M-F and 9 AM - 11 PM Sat & Sun, the percentage of loss goes up by more than 50%.