An Andy Rooney Moment
Why is it that I need to create a not-less-than-twelve-character username, consisting of at least one capital letter, at least one lowercase letter, at least one punctuation symbol, and at least one number, and then create a unique password of not less than twelve characters, also consisting of at least one capital letter, at least one lowercase letter, at least one punctuation symbol, and at least one number, and go through a 258-bit double-encryption process to get my water bill from the County of Los Angeles online?
(Bonus comparison: the County sends my property tax bills in envelopes so thin that anyone could can read the assessed value of my house right through them.)
Burt,
Are you a victim customer of LADWP as well, or do you reside outside of the City of Los Angeles? I’ve never attempted to access any sort of information from the County on my water/sewer, only through LADWP site. And their security is nowhere nearly as robust. So much for consistency.
With all the increasing (and accelerating) focus on information security it’s become almost a competition to see which I.T. dept can come up with the most over-the-top policies to which you must conform. And once you learn to conform they tighten the polices once again. “Oh, that 12 character complex password that you must change every 30 days you must now change every 7 days. You cannot reuse old passwords, nor any derivative of them, nor any essence of your name in your new password. And whatever you do, don’t write it down.”
Now show me anyone’s home computer monitor that doesn’t have at least a half-dozen yellow stickies with passwords scrawled on them. Now that’s secure.Report
Disclosure: I work in I.T.Report
I’m in the ass end of Los Angeles County, aka the Antelope Valley. My water service is provided by the County of Los Angeles; to my knowledge, LADWP services only the City of Los Angeles and a few small areas immediately adjacent to it. Although the Los Angeles Aqueduct runs not far from my house, not a drop of that water comes to my taps; LADWP guards that water and its rights to it as jealously now as it did back in the days of Bill Mulholland.Report
Correct, LADWP is only for city of residents. Again, it’s just curious the differences in such things as I.T. security policy between the city and county. Perhaps the county policy is imposed by the state, possibly by the CA Dept. of Water Resources? And yes, water will soon become more precious than that back icky stuff they still pull out of the ground. Chinatown III, coming soon.
The city of I.T. advancement is fairly inconsistent and antiquated to be sure. I’m in the middle of a land use dispute with the tenants of the abutting property who have been running a commercial 20-ton diesel truck storage and maintenance facility on residential zoned land for 7 years, much to the neighborhood’s dismay. I contacted the city counsel to try and get at least some information on what permits or variances they may have which would allow such activity, but was told that since the Use Permit (LA-speak for zoning variance) was issued before the mid-90’s none of it is available online. I would have to go downtown and implore someone to dig through paper records locked away in some archive. I could see if I was asking for something from the 1960’s but 15 years? And do they still stamp official documents with hot wax and an impression from the King’s signet ring?Report
I still remember fondly a title dispute in which one party contended that his chain of title was traceable back to the King of Spain. Which is how I wound up looking at a microfiched copy of a Royal land grant from the 1780’s which did, indeed, have a dark blotch on it where the wax seal was on the original, although I was more taken with El Rey‘s florid signature. I don’t know if the original still exists.Report
Thank you, Burt. That truly made my day.Report
In fairness, especially for something like that, writing the password on a sticky note probably isn’t costing them much security.
If they have physical access to your house, finding your water bill is likely not a huge challenge.Report
Of course. I was being a bit snarky.
Though I remember in my cube dweller days seeing many such instances, back when monitors were CRT’s. The other easiest way to try and guess someone’s password was to just peek into their cube/office and look at pictures of family or pets, or other personal items that would suggest hobbies or interests. Chances are great that every password they created while sitting in that chair was derived from something nearby they glanced at while trying to come up with it.
As always, xkcd nailed it.Report
And Feynmann was doing the same thing 70 years ago, but with safes vice computers.Report
I don’t have passwords taped to my screen. I believe the last bit of a fairly long password I had once was
“My name is Andy!” (song lyric,natch–but I hadn’t used the whole thing verbatim)
I have a couple of insecure passwords. I use them on anything I don’t care if people break.
I have a couple of passwords (they change over time) which I consider good. They’re memorable.
http://teecraze.com/going-to-a-cheesier-place-t-shirt/Report
I prefer passphrases, myself.
Before we got the absolutely insane password requirements we now have for our lab, I enjoyed changing people’s passwords (at their request to have their password reset, of course) to such things as “DannyDonnyJordanJonathanJoe” and “GeneSimmonsIsMyDad”.
Those are passwords that will not be brute forced, you see.
But the “two of these, two of those, two of the other” tend to result in keyboard patterns that are easily brute forced and easily shoulder-surfed.
It’s insane.Report
Didn’t xkcd do a comic about this exact problem?Report
They did indeed.Report
I believe there was an xkcd about that, how contemporary password practices are making passwords that are hard for humans to remember and easy for computers to guess.
And people are going to be lazy, anyway. P@ssw0rd. Mixed case, has a number and a non-alphanumeric character. OK, it’s not 12 characters. Fine. P@ssw0rdP@ssw0rd. There. I’m sure I’m secure now.
But it seems the easiest way to prevent brute force attacks is adding a time delay or account lock out to repeated attempts. I know some services that lock out after 5 attempts, but I doubt you even have to be that aggressive. If you don’t remember your password after 20 tries, you’re never going to, but 20 is not nearly enough attempts for anything that could be called “brute force”. And if you don’t implement something like this, well, computers, and thus brute force attacks, are only going to get faster.Report
Hmm, that was supposed to be a 0 in the password, rather than an ‘o’. But you get my point.Report
Oh, I see, you the posts are just in a font that makes zero look like ‘o’.Report
Who the hell brute forces anything? It’s just easier to grab the vet records, and go from there.
(Plus… who the hell uses popcorn as a password?!? Popcorn.)Report
I know nothing about this topic, but since Kimmi says no one brute forces anything, I’m sure it happens a lot.Report
one could, if you’d rather, infer that it’s a lot easier to brute force the vet’s security rather than IBM’s. Also, veternarian. The correct wording might be “what security?”Report
Your housing assessments aren’t posted online?
Hell, in my county, they post (publically) if you haven’t paid your tax bill yet.Report
Yeah, sorry to say, Burt, but the cat’s probably out of the bag on the house assessment.Report
I use that tool all the time. But the point is, don’t you think a reasonable person would be more sensitive about how much their house was worth than the amount of their water bill?Report
They’re preparing you for the coming crisis by teaching you now that your water bill is something you should be very secretive about. Then when they start rationing your household to 1.7 liters per day, they can use the threat of publicizing your use to your neighbors. It’s all part of the plan, man.Report
I never really pay any attention to the tags and categories listed at the bottom when I get the posts from the league in my email. This one caught my eye; musings and rants.
I have nothing of significant value to add with this comment, I just thought it the categories were cute.Report
I have an account with an investment firm who, when you lose/forget your password, will be happy to send you a temporary password you can use to reset your account password. It will come by US Mail, and it will be there in 14 business days (not up to 14 business days, but at 14 business days).
Grrrr!Report
You complain, but do you really want conttrol over your life’s savings made available to anyone who manages to get into your email account?Report
The land was always there; the water had to be arduously stolen.Report
What gets me is this:
We have a baby. We run low on cash so I put the Tax bill in the “don’t pay tonight” pile and forget it’s there.
I file our income taxes and think “hey…. why isn’t my bank account showing a second payment for taxes?” And find said bill.
I find out, okay, since I’m late they’re going to charge me a fee. I call and find out the fee. I send them a check.
I get another bill stating “thank you for the check, but between your call and the check arriving we added another $X to your bill so you still owe us $X. Kkthnxbi!”
Seriously?
Report
All bureaucratic policies, whether of the state or the large corporation, are motivated mainly by a desire to have an official policy on paper so their ass is covered. The typical policy works against its stated purpose in all sorts of unanticipated ways, that could only be avoided through active consumer and production worker feedback in the formulation stage. But what’s their response if you try to give such feedback, and point out the irrational and counterproductive nature of their policies? You’re fired!Report
You need a digit and a punctuation symbol in your user name? I’ve never heard of anything like that before.Report