Re: Funny - any comments?

From: Chris Knapp (dont_at_spam.me)
Date: 12/13/03

  • Next message: Chris Knapp: "Re: password access under WINXP" 
    Date: Fri, 12 Dec 2003 15:29:21 -0800

    Sounds like the boss is forcing him to maintain a list of passwords. My old
    computer illiterate boss used to ask for this too. . . (Not that he could
    even figure out how to login as someone other than himself. . .) I'm not
    bitter. ;-)

    "Martin Schmid" <martinschmid@sbcglobal.net.nospam> wrote in message
    news:uMG3IzOwDHA.1196@TK2MSFTNGP12.phx.gbl...
    > I just received this message from my IS staff person--- note that this was
    > ust a few minutes after receiving the new 'Password Policy' below. Any
    > comments are welcome!
    >
    > --
    > Thanks,
    > Martin Schmid, EIT, CCSA, MCDBA, MCSE
    >
    > -----
    >
    > Message recevied about 11:45am today
    >
    > The easiest way to change your password is by hitting CTRL-ALT-DEL at the
    > same time and press the change password button.
    >
    >
    >
    > However, everyone in XYZ-2 office will have to let me know (over the phone
    > only) what their new password is, otherwise they will not be able to
    access
    > their e-mail from the XYZ mail server. So, I will be calling the XYZ-2
    > office this afternoon and will talk to everyone, and will change their
    > passwords here as well.
    >
    >
    > ----
    > Policy received about 11:30 am today.
    >
    > Password Policy
    >
    > Overview
    >
    > Passwords are an important aspect of computer security. They are the front
    > line of protection for user accounts. A poorly chosen password may result
    in
    > the compromise of XYZ's entire corporate network. As such, all XYZ
    employees
    > (including contractors and vendors with access to XYZ systems) are
    > responsible for taking the appropriate steps, as outlined below, to select
    > and secure their passwords.
    >
    >
    >
    > Policy
    >
    > The purpose of this policy is to establish a standard for creation of
    strong
    > passwords, the protection of those passwords, and the frequency of change.
    > This policy includes all personnel who have or are responsible for an
    > account (or any for of access that supports or requires a password) on any
    > system that resides at any XYZ facility, has access to the XYZ network, or
    > stores any non-public XYZ information.
    >
    >
    >
    > General
    >
    > · All user-level passwords must be changed every four months (you
    > will be prompted each time your password has expired).
    >
    > · Passwords must not be inserted into email messages or other
    forms
    > of electronic communication.
    >
    > · All user-level and system-level passwords must conform to the
    > guidelines described below.
    >
    >
    >
    > Guidelines
    >
    > General Password Construction Guidelines
    >
    > Passwords are used for various purposes at XYZ. Some of the more common
    uses
    > include: network/PC login, Wind2, and voicemail.
    >
    >
    >
    > Poor, weak passwords have the following characteristics:
    >
    > · The password contains less than six characters
    >
    > · The password is a word found in the dictionary (English or
    > foreign)
    >
    > · The password is a common usage word such as:
    >
    > o Names of family, pets, friends, co-workers, fantasy characters,
    > etc.
    >
    > o Computer terms and names, commands, sites, companies, hardware,
    > software.
    >
    > o The words "XYZ", "Dallas", "LosAngeles", "password" or any
    > derivation.
    >
    > o Birthdays and other personal information such as addresses and
    > phone numbers.
    >
    > o UserID (i.e. if the login ID is "Jonathan" the password should
    not
    > be "Jonathan")
    >
    > o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321,
    etc.
    >
    > o Any of the above spelled backwards.
    >
    > o Any of the above preceded or followed by a digit (e.g.,
    password1,
    > 1password)
    >
    >
    >
    > Strong passwords have the following characteristics:
    >
    > · Contain both upper and lower case characters (e.g., a-z, A-Z)
    >
    > · Have digits and punctuation characters as well as letters (e.g.,
    > 0-9, !@#$%^&*()_+|~-=\'{}[]:";`<>?,./ )
    >
    > · Are at least eight alphanumeric characters long
    >
    > · Is not a word in any language, slang, dialect, jargon, etc
    >
    > · Are not based on personal information, names of family, etc.
    >
    > · Passwords should never be written down or stored on-line. Try to
    > create passwords that can be easily remembered. One way to do this is
    create
    > a password based on a song title, affirmation, or other phrase. For
    example,
    > the phrase might be: "This May Be One Way to Remember" and the password
    > could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. Also you can
    use
    > special characters or numbers to replace letters in a word, for example
    the
    > word is "computer" and the password could be: "C0mp*t3r" or "c*mp@ter".
    >
    > NOTE: Do not use any of the above examples as passwords!
    >
    >
    >
    > Password Protection Standards
    >
    > Do not use the same password for XYZ accounts as for other non-XYZ access
    > (e.g. personal ISP or at home internet accounts, benefits, personal (yahoo
    > or hotmail) e-mail accounts, etc.).
    >
    >
    >
    > Do not share XYZ passwords with anyone, including administrative
    assistants
    > or secretaries. All passwords are to be treated as sensitive, confidential
    > XYZ information.
    >
    > · Don't reveal a password in an email message
    >
    > · Don't talk about a password in front of others
    >
    > · Don't hint at the format of a password (e.g., "my favorite song
    > title")
    >
    > · Don't reveal a password on questionnaires
    >
    > · Don't share a password with family members
    >
    >
    >
    > If someone demands a password, refer them to this document or have them
    call
    > the IS department.
    >
    >
    >
    > Never use the "Remember My Password" feature of applications (e.g.,
    Eudora,
    > IM, Yahoo, etc.). This is very un-secure as it saves the password to your
    > computer (or sometimes on the internet!)
    >
    >
    >
    > Again, do not write passwords down and store them anywhere in your office.
    > Do not store passwords in a file on ANY computer systems (including Palm
    > Pilots or similar devices) without encryption.
    >
    >
    >
    > Change passwords at least once every four months.
    >
    >
    >
    > If an account or password is suspected to have been compromised, report
    the
    > incident to the IS department, and change all passwords.
    >
    >
    >
    > Password cracking or guessing may be performed on a periodic or random
    basis
    > by the IS department. If a password is guessed or cracked during on of
    these
    > scans, the user will be required to change it.
    >
    >
    >
    >

  • Next message: Chris Knapp: "Re: password access under WINXP"