Password Complexity, Good or bad?
-
@scottalanmiller said:
@JaredBusch said:
The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.
Agreed, but I've seen several SMBs in a number of spaces that either require the use of your existing phones or provide them. Sure many don't or won't, but many don't care about 2FA either.
Absolutely. I know of several myself. But that is far from even a large minority of the SMB I am personally familiar with. I am quite comfortable with my statement above that Most SMB do not.
-
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.
Agreed, but I've seen several SMBs in a number of spaces that either require the use of your existing phones or provide them. Sure many don't or won't, but many don't care about 2FA either.
Absolutely. I know of several myself. But that is far from even a large minority of the SMB I am personally familiar with. I am quite comfortable with my statement above that Most SMB do not.
I agree, most do not. But I think that those mostly overlap with those that aren't looking for 2FA, too.
-
I have a scenario going on right now.
A local hospital is deploying 2FA to all offsite personal who access their systems. They offer two choices for 2FA
- when you log in, your default phone number will be called, you press 1 to indicate that you did log in, and the system allows you in.
- you are provided a key fob and type the number when prompted.
Option 1 assumes that there is a direct phone number to you - be that a DID to a phone in your office, or a cell phone.
Management in my office denied this option because they are of the opinion that personal phones can't be demanded to be used for work without paying the employee for phone use (even though it amounts to $5 or less per month, employees would undoubtly try to get something ridiculous like 50% of the phone bill paid for - so management just said no)
This unexpected refusal by my office to use phones as 2FA means the hospital has to purchase and support 80+ key fobs for my office alone. They have a near countless number of offices that have remote access to their systems. I'm sure the cost of key fobs is what has stalled this project.
-
@Dashrender I would agree with management on this as well. If they aren't already paying for employees phones, it's much easier to manage a keyfob and access that way.
But it makes the employee have to keep track of 1 more item. But the headache of managing cell phones for as many people as you're describing seems to be way more painful.
-
@Dashrender said:
I have a scenario going on right now.
A local hospital is deploying 2FA to all offsite personal who access their systems. They offer two choices for 2FA
- when you log in, your default phone number will be called, you press 1 to indicate that you did log in, and the system allows you in.
- you are provided a key fob and type the number when prompted.
Option 1 assumes that there is a direct phone number to you - be that a DID to a phone in your office, or a cell phone.
Management in my office denied this option because they are of the opinion that personal phones can't be demanded to be used for work without paying the employee for phone use (even though it amounts to $5 or less per month, employees would undoubtly try to get something ridiculous like 50% of the phone bill paid for - so management just said no)
This unexpected refusal by my office to use phones as 2FA means the hospital has to purchase and support 80+ key fobs for my office alone. They have a near countless number of offices that have remote access to their systems. I'm sure the cost of key fobs is what has stalled this project.
Part of the issue here is that this is for non-employee access. We assume, to some degree, that employees have some amount of company provided equipment already. But non-employees, that's no longer a reasonable assumption.
-
@DustinB3403 said:
@Dashrender I would agree with management on this as well. If they aren't already paying for employees phones, it's much easier to manage a keyfob and access that way.
But it makes the employee have to keep track of 1 more item. But the headache of managing cell phones for as many people as you're describing seems to be way more painful.
Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.
those who don't have a cell phone, we'll provide a fob.But even if we did go so far as to pay employees for cell phone use, we should just pay them a pure stipend of $5-10 a month. If someone wants to contest how much we are costing them.. I would encourage them to bring in their phone bill and we could sit down and figure the cost the employee was incurring because of these phone calls. Often it would be zero because the employees have huge number min plans and the added use of 20 or less mins a month wouldn't even be noticed... but even if you skip the flat rate large mins setup.. and simply say bill divided by mins (which is unfair to the employer because most of them have data and it wouldn't take data usage into account) and figured a per min value, I suppose it's possible, even likely that the above stated 20 mins would be more expensive than $10 a month... but all other caveats still apply and really don't make that a business tenable setup.
-
@scottalanmiller said:
Part of the issue here is that this is for non-employee access. We assume, to some degree, that employees have some amount of company provided equipment already. But non-employees, that's no longer a reasonable assumption.
From a hospital perspective, sure. But those staff do work somewhere, otherwise they wouldn't have access at all. And that other employer is providing some equipment, in this case the PCs.. not the phones or any phone stipend.
-
@Dashrender said:
@DustinB3403 said:
@Dashrender I would agree with management on this as well. If they aren't already paying for employees phones, it's much easier to manage a keyfob and access that way.
But it makes the employee have to keep track of 1 more item. But the headache of managing cell phones for as many people as you're describing seems to be way more painful.
Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.
those who don't have a cell phone, we'll provide a fob.But even if we did go so far as to pay employees for cell phone use, we should just pay them a pure stipend of $5-10 a month. If someone wants to contest how much we are costing them.. I would encourage them to bring in their phone bill and we could sit down and figure the cost the employee was incurring because of these phone calls. Often it would be zero because the employees have huge number min plans and the added use of 20 or less mins a month wouldn't even be noticed... but even if you skip the flat rate large mins setup.. and simply say bill divided by mins (which is unfair to the employer because most of them have data and it wouldn't take data usage into account) and figured a per min value, I suppose it's possible, even likely that the above stated 20 mins would be more expensive than $10 a month... but all other caveats still apply and really don't make that a business tenable setup.
Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).
-
@Dashrender said:
Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.
How far does that go? They have to provide a car, computer, etc.? It's a tough one, and it crosses legal lines if you have to protect data. For purely 2FA if the call is fully free, it's not bad. But do you really limit it to those times, and make sure you never interrupt them while sleeping, travelling, vacation, etc.? It introduces a lot of issues.
While I know that nearly everyone does it, I don't like it. Or as an option, never as a requirement.
-
@johnhooks said:
Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).
That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."
You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.
If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?
-
@scottalanmiller said:
@Dashrender said:
Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.
How far does that go? They have to provide a car, computer, etc.? It's a tough one, and it crosses legal lines if you have to protect data. For purely 2FA if the call is fully free, it's not bad. But do you really limit it to those times, and make sure you never interrupt them while sleeping, travelling, vacation, etc.? It introduces a lot of issues.
While I know that nearly everyone does it, I don't like it. Or as an option, never as a requirement.
I suppose I could easily be convinced to make it optional, but if you choose to use your own device, you're getting no money from me.
Can I ensure the phone won't be calling them while sleeping/travelling/vacation - yeah, assuming they aren't trying to log in during those times LOL. Yes it would be limited to 2FA only.
Currently the staff, on their own - just like at any business - are using their phones to talk to each other either voice or text all the time. In fact they use it when it's completely inappropriate at time - like texting patient information. Short of employment contract saying that we can monitor their self provided phones, we can't really stop it.
-
@scottalanmiller said:
@johnhooks said:
Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).
That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."
You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.
If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?
This is a hard one for me.. I see both sides of this fence. I'm not sure which way is right. I suppose a contract would be needed to clarify it.
-
@scottalanmiller said:
@johnhooks said:
Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).
That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."
You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.
If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?
That's not comparable. These were homes who lost TV service for 30 minutes.
If you know you could lose $5 million in 5 minutes, you would have some kind of secondary system in place and not rely on a home cable service.
If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?
Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.
-
@johnhooks said:
That's not comparable. These were homes who lost TV service for 30 minutes.
If you know you could lose $5 million in 5 minutes, you would have some kind of secondary system in place and not rely on a home cable service.
It's very comparable. What if they pay for television specifically for the show that was on at that time and the rest of the month you just pay because it is the only way to get that one show.
How is it any different? If you pay for a service for a purpose and it does not fulfil the purpose, should you have to pay? That's up to the SLA, of course. But the question is, you buy X they provide Y. Someone on the outside can claim that Y is equal, better or good enough, but that's an emotional reaction to how they would use X, not how the purchaser intended it.
What if I get power that never goes off during the day but often goes out at night... when I need my CPAP to work. I'm paying the same power as people who are home during the day, but I need it at night. Would you say "well, but they need it during the day so you don't need it at night?"
-
@johnhooks said:
Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.
But to Scott's point, those 30 mins are much more important than say 30 mins during the middle of the night (or whenever the customer is sleeping/not using the system).
Assuming the average house hold has the TV on from 5 PM - 11 PM M-F and 9 AM - 11 PM Sat & Sun, the percentage of loss goes up by more than 50%.
-
@johnhooks said:
Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.
The percentage simply doesn't matter. That's a red herring, mostly. Yes, "most" of the service was delivered. But was the part that they paid for delivered? What if you only watch 30 minutes of television a month? Did they lose .001% or 100%?
-
@scottalanmiller said:
@johnhooks said:
Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.
The percentage simply doesn't matter. That's a red herring, mostly. Yes, "most" of the service was delivered. But was the part that they paid for delivered? What if you only watch 30 minutes of television a month? Did they lose .001% or 100%?
Their perception was 100% loss, but the service was still only a .001% loss. They are paying for the service as a whole, not the amount of time they will use it.
-
@Dashrender said:
Assuming the average house hold has the TV on from 5 PM - 11 PM M-F and 9 AM - 11 PM Sat & Sun, the percentage of loss goes up by more than 50%.
Right, and to the "average" user, it is a trivial outage. But to someone, it is a significant one.
What about those of us who paid for Netflix and wanted to do special Christmas movie viewing on Christmas Eve two years ago and the service went out for the day. Sure, one day outage, but it was a special day where people were scheduling things around the service availability. I'm not saying that Netflix should refund the month or that people should be mad.. I'm just saying that the percentage of time that you are down does not equate to the percentage of service value that is lost.
Think about a pace maker that keeps you alive 99% of the time. Is it worth 99% the price of a better one?
-
@johnhooks said:
Their perception was 100% loss, but the service was still only a .001% loss. They are paying for the service as a whole, not the amount of time they will use it.
That's your perception, but you cannot know what they were buying it for. The percentage of downtime does not tell us anything about the percentage of service lost.
What if you paid for backups and they only lost one file out of thousands. What if it was your database file? You'd say "well, I should only get a few cents back because only one file was lost"?
-
Another example... you pay for television and it turns out that it only works during business hours or the middle of the night. 50% of the time. You can never use it during the morning or evening hours. So anytime you are not at work, it is off.
Did you get 50% of the service? Or did you get zero? Because you were only buying it for the times that you could use it.