Security at Work

At school today, one of my classes took a trip down the hall to a computer lab. Upon logging in, I was faced with a prompt, telling me that my password had expired and that I needed to change it. “Cool,” I thought to myself, “our computer administrator actually cares about security on our school’s systems.” Clicking the “OK” button (which was my only option), I proceeded to the Change Password prompt. And it was here that I realized how dumb our school administrator had been in implementing this required password change.

At the prompt, I quickly realized that I could not use any decent passwords. Trying to use any combination of numbers, letters, and symbols (e.g., *) failed. A message telling me that my new password was invalid was the only feedback I got. Furthermore, I couldn’t log into the machine until I had successfully changed my password. Cutting the symbols out of the password, I continued to try. Again, I was greeted with failure. Were letters the only valid characters? No dice their either. I sat back, unable to change my password and unable to log in. Then it struck me. “I’ve probably got to use my phone number, don’t I?” My school has typically used phone numbers as default passwords in the past, so it seemed a likely solution. Bingo! My password change was successful, and I was finally able to log in.

Of course, using your phone number for a password isn’t exactly a great solution. Obviously, anybody that knows your phone number can log into your account, access all of your files (ignoring the fact that you’d be stupid to store any really sensitive information on a school computer, anyways), but worst of all, they are you for all the administration is concerned. So, for example, if I have a friend who knows my phone number, logged in as me and looked at some pr0n while using my account, there would be more than a little bit of trouble coming my way. Furthermore, I’d have no way of being able to prove my innocence.

With an understanding of the flaws of using my phone number as my password, I went back to try to change my password to something a little bit more secure. I tried a random string of numbers. “Invalid password change,” the screen informed me. Even passwords made of strings of ten numbers, the same number of digits that are in phone numbers, resulted in failed attempts to change my password. The only password that I could use for my school account was my own phone number.

Don’t get me wrong here, I’m all for security. Strong passwords are essential for keeping your information and identity safe from potential theft. Changing your password every so often is a great idea, as it will do nothing but make it harder to hack into your account. However, implementing a required password change and then only allowing users to change their password to a certain thing is retarded. It completely defeats the purpose of not only expiring passwords, but security in general. Even a password of abc123 would be more secure than using your phone number. Mind you, I’m not sure what else I was expecting. Our computer administrator has blocked all common webmail sites, right clicking, and even all image searches on the school computers. When we had a permissions problem one class (a file our teacher had saved on my school’s shared network server had no read privileges for students), he managed to spend a full 45 minutes trying to convert the Word document into different formants instead of just changing the permissions on the file, and never managed to solve the problem. I haven’t used a Windows machine outside of my school’s locked down systems for two years, and I’m pretty sure I could do a better job of being administrator than our IT guy.

The next time I logged in, a dialogue popped up, informing me that my current password will expire in 30 days.

Advertisements

Sorry, it’s not the end of the decade

Yes, the new year has begun, but it’s not the new decade yet.  Sorry, but we still have another year to go before this decade is over.  So all of those “Best of the Decade” lists, such as Indigo’s Best [Books] of the Decade, Rolling Stone’s 100 Best Albums of the Decade, and Destructoid’s The Top 50 Videogames of the Decade (#10-1) are a year early, and therefore moot. And no, this decade is not actually ending with a blue moon.  All of these lists and “end of the decade” events are meaningless, since they are stemming from the exceedingly common misconception.

First of all, a decade can refer any set of ten years, but its main usage is to refer to specific sets of ten years.  The common misconception is that a decade spans from years ‘-0 to ‘-9.  This stems from referring to sets of years, such as the 1980s, as the “’80s decade”.  If a person is talking about the ’80s, they’re talking about the years spanning from 1980 to 1989, inclusively.  However, a decade in this sense actually should span from 1981 to 1990.

This is because there was no “0 AD”.  The calendar starts at 1 AD.  Therefore, the very first decade spanned from years 1-10, the second decade from years 11-20, and so on.  If you refer to a decade as a set of ten years spanning from, say, 1970 to 1979, this leaves the problem of the very first decade spanning from years 1 to 9.  This is only 9 years, and therefore, not a decade.  Whoops, that doesn’t work.  The years 2000 to 2009 isn’t actually a decade in the sense that everybody seems to think it is.

So no, the decade isn’t over, and today isn’t the first day of the new decade.  This New Years wasn’t really any more special than any other.  And all of those “Best of the Decade” lists are pointless, since the decade isn’t over.  But that’s not exactly news, since those lists are basically pointless anyways.  😛