I went to a seminar a couple of weeks ago on Identity Management and one of the speakers from a US University runs a group whose sole purpose it is to compromise their own University's IT security, to find holes and then have them fixed.

So one day they decided to try something a little low tech. They sent out some students with chocolates and stuffed toys to select students and staff members at random to see if they could entice out of them their username and passwords.

Results:
Stuffed toys worked better than chocolates
Females garnered more details than males
Females had a 100% success rate with males

I am not sure exactly what they were wearing but that is scary.

An exercise was conducted along these lines by an IT firm some time back. It was all done with pens.

The firm dressed up in their corporate shirts and went around to people saying " We are checking the password security of the system, to make sure people are constructing their passwords properly". Oh and here's a pen to thank you for your help.

HEAPS of people just TOLD THEM THEIR PASSWORDS OUTRIGHT>

Too bloody trusting.

An after hours survey also revealed that many people had their passwords written under their keyboards !

Just proves that technology is rarely the problem. People are the problem.

Scary.

I can recommend a book called "The Art of Deception" by Kevin Mitnick. He was on the FBI's most wanted list for awhile for a long list of "hacking" exploits.

In his book he lists various ways of gaining access to other people's systems. Most of them are very low tech and exploit social engineering. In most cases people are the weak link.

Kevin Mitnick - that's the guy I was trying to think of. The bloke is a genius.

(Evil genius perhaps, but genius nonetheless)

Kevin Mitnick - that's the guy I was trying to think of. The bloke is a genius.

(Evil genius perhaps, but genius nonetheless)

Did he get to them by their number plates??? :angel:

Did he get to them by their number plates??? :angel:

There is one in every crowd...:wasntme:

No he probably reasearched it meticulously for hours on online forums.

Did he get to them by their number plates??? :angel:

Funny you should say that because I remembered this story after replying to the number plate thread.:) People sometimes worry too much about the unlikely and miss the easy vulnerability.

I have worked in IT for nearly 30 years and what really gives me the irrits is idiots forcing me to change my password every 90 days. St George bank does it for business accounts. I have tried explaining to the numbskulls in the tech dept that it is actually less secure as eventually you end up writing it down to help you remember it.

Had the same user name and password with the nab ever since they started internet banking.

I have one password for anything not money related which is simple and I couldn't care if it gets compromised and one more complex for secure sites except St Bloody George. :mad: :mad:

I have worked in IT for nearly 30 years and what really gives me the irrits is idiots forcing me to change my password every 90 days. St George bank does it for business accounts. I have tried explaining to the numbskulls in the tech dept that it is actually less secure as eventually you end up writing it down to help you remember it.

Had the same user name and password with the nab ever since they started internet banking.

I have one password for anything not money related which is simple and I couldn't care if it gets compromised and one more complex for secure sites except St Bloody George. :mad: :mad:

Security mechanisms can be broken given enough time so there are clever people out there who work out the average time it would take for a password being guessed by a password generator etc. Then we set the password change frequency to be less than that. We have a 60 day cycle here at the uni.

I have worked in IT for nearly 30 years and what really gives me the irrits is idiots forcing me to change my password every 90 days. St George bank does it for business accounts. I have tried explaining to the numbskulls in the tech dept that it is actually less secure as eventually you end up writing it down to help you remember it.


Yep, had that argument many times. Learnt it a long time ago when first in IT - make the password requirements too complex or change them too often, and people write them down on the desk, keyboard, post-it note or God knows where else. A bit of user education and sensible policy goes a long way to helping overall security.

Like you, I have a very complex password for banking and the like, which is written down nowhere and has nothing to do with me whatsoever so can't be guessed, easily brute forced or dictionary attacked. Have a simple one for other things where complexity is pointless as half the crap systems store the things in plaintext anyway.

Here's how I was taught to construct a password...

(No there are no bonus points for spotting the "really need to get laid" IT types who came up with this one....).

Pick something that is personal to you i.e. that you'll remember (yes, I know, mistake #1)

Say for example you have a pet turtle named "Agamemnon" (why the f*** would you?)

Instead of using plain characters, use abbreviations and 'special characters' and numbers in such a way that the password is really hard to crack... like this:

M1trTL$NmI$ag@Mn0n (My turtle's name is Agamemnon)

Fantastic idea and really easy to remember now, isn't it ! :rolleyes: