office check-in

[cellio]

Before the pandemic, I went to the office every day, as one does. Our office manager did what he could to make it an ok environment, but it has the usual pathologies. Pandemic-induced working from home has been good for me in oh so many ways. I'm fortunate to be at a point in my career where I am quite comfortable telling my employer "I really do insist". (There's some pressure, mild so far.) I'll go to the office if there's a specific reason to, like the group outing we had a few months ago, but most of the people I work with aren't local, so going to the office is social, not productive.

On the day of that outing, I learned -- via a coworker finding out the hard way -- that corporate security disables badges that haven't been used in 90 days. That makes sense, though doing it silently isn't so great. Fortunately for me, I last changed my domain password around the time of that outing, so the "time to change your password" reminder serves double duty.

A few days ago I changed my password, and today I went to the office to wave a badge at a sensor. While I was there I cleared out the last of my personal belongings; demonstrably, I no longer need to keep an umbrella or a spare USB charging cable in my desk drawer there.

Comments

[sine_nomine]

At some point I likely have to return to NYC to open the time capsule clean out my cubicle. Haven't been there in nearly three years, and I shudder to think what's there that didn't get done back then.

[cellio]

The start of the lockdown was sudden for a lot of people. I'm told that a security person in our main office had been asked to also water plants until their owners were allowed to come collect them. Other people in my local office are probably happy that I had the foresight to purge the fridge on my way out on that last day in March 2020 -- nobody would have been happy about that milk more than a year and a half later. I doubt your cubicle has anything that challenging. :-)

[jducoeur]

Other people in my local office are probably happy that I had the foresight to purge the fridge on my way out on that last day in March 2020 -- nobody would have been happy about that milk more than a year and a half later.

Yeah, really. My parents live on Sanibel Island, and had to flee ahead of Hurricane Ian.

When my brother got to the house a month later, to start inventorying the disaster of the lower floor and demolishing the walls (they live on a high point, but still got five feet of water), he found that the upper floor (the main living space) was in great shape. Except for the fridge, which was basically a hazardous waste zone to the point where it simply had to be dragged out and thrown away.

[hrj]

My workplace suspends security access after 2 weeks of non-use. It took me a while to discover this since it was years before I was being allocated vacation time in sufficient quantities to be willing to blow two weeks in a single go. Fortunately this is apparent when trying to enter a security gate to the campus, and therefore one is generally still in one's vehicle, which makes it easy to go around to the main gate where the security office is to get it reactivated. (One time, my first day back at work after a long vacation I took the train+shuttle which drops me at the opposite end of the campus from main security. Annoying, but not tragic.)

Recently, when they officially lifted the block on remote workers coming on site regularly (as opposed to for business-critical purposes), there were a lot of reminders that you could check in with security by email in advance to be reactivated. I imagine this reduced the traffic jam at the main gate!

[cellio]

Two weeks? Wow, so a long vacation, or parental leave, or doing a couple back-to-back conferences or sales trips or something could be enough. It's good that you can get it fixed on-site. We're one of many offices owned and administered by a large parent company, so we have a badge reader that's controlled by people many states away (or maybe not even in this country; don't actually know) and you have to send email and wait for them to respond if you get locked out. For my coworker that response came the next day; fortunately someone else could let him in. I don't know if that response time is typical or if they were just swamped at the time.

[hudebnik]

My employer (G) started letting people back into the building a little over a year ago, and would like me to be in the office three days a week, but I was averaging less than one day a week, and finding that every time I came in, I spent a good fraction of the day getting my (workstation / password / security key / etc) to work after a long absence.

shalmestere's employer wants three days a week on-site, somewhat more emphatically, but she can get out of one with permission if there's an online conference or publishers' event (which she can watch just as well from our couch as from a cubicle at work, and without wearing earbuds; if she needs to talk, better at home than at the office).

In May or June I had a routine talk with my manager, and he brought up RTO "in case anybody asks me", to which I replied "We have a bunch of vacation travel coming up this summer, and would really rather it not get cancelled by catching COVID," which he thought was a good answer. Since the summer vacation season, I've been going to the office one or two days a week, until I caught COVID a week before Thanksgiving, and then shalmestere caught it. I wasn't hit hard, so I did WFH throughout. shalmestere was hit harder, and took full advantage of the five days' "excused time" (i.e. not coming out of her sick-leave balance) they offered. But now we're both negative, she's supposed to be working again, and she's supposed to be in the office three days this week.

[cellio]

Our office also reopened about a year ago and, for a time, there was an effort for all of us (here in Pittsburgh) to be in the office on the same day, because when there are only a dozen of you to begin with, and half of those are firmly staying home for risk-reduction reasons, "everybody pick a day or two" doesn't necessarily mean seeing people. So, for a while, I went in every Tuesday, seeing 2-4 other people, but the environments are different so I always had to spend time fussing with the network, resizing windows (different monitor sizes at home and the office), and so on. While it was nice to see those people (I like my coworkers), it didn't really help with anything. Eventually I stopped going. A handful of people still go in occasionally (mix varies). Fortunately, our local management isn't pressuring us. Time will tell whether pressure from higher up will trickle down to us.

"Would rather not lose planned vacations because we caught COVID" sounds like an excellent reason to avoid the office. I'm glad your manager agreed. I'm sorry to hear that shalmestere's management isn't as flexible.

[(Anonymous)]

Forced password changes every 90 days? Ugh. Maybe you can point them at NIST SP 800-63B; I believe NIST was the source of the original "change passwords regularly" recommendation back in what, the 1970s? NIST refers to passwords as "memorized secrets", so section 5.1.1 is the one that applies here. Since a few years ago, per it, passwords should be >= 8 characters (with exceptions that probably don't apply in your situation), systems should allow passwords of at least 64 characters, not impose any other complexity criteria, and NOT require "arbitrary" (specifically exemplified with "periodically") password changes. As a mitigation against long-lived passwords, they instead recommend failure rate limiting, which most systems already do; it's why it takes a few seconds to get back an "incorrect username or password" even though when you type it correctly the system lets you straight in. They also suggest ways to mitigate password reuse.

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

A long, high-entropy password or passphrase that is actually committed to memory is much better from a security point of view than one that has to be changed often and therefore likely won't be as complex simply because people are generally reluctant to have to commit new passwords to memory regularly.

As an example, a six- or seven-word Diceware passphrase provides 77-90 bits' worth of security (12.9 bits per word), which is plenty enough for just about any situation, is often eminently memorable, and takes only a few seconds to type once you have memorized it if you're a decent typist. Suppose someone knows that your password is a seven word Diceware passphrase generated using a particular word list; if they can try a billion possibilities per second (which is a pretty decent rate for an offline attack by a moderately powerful adversary, and completely unreasonably fast for an online attack), it will take the attacker upwards of 40 billion years to go through all possibilities; on average, they'll hit the right one in half that time. 2^90 (possibilities) / 10^9 (attempts per second) / (365*24*60*60) (seconds in a year) ~ 3.9 * 10^10 (years to completion). A highly motivated, powerful adversary might be able to raise that a few orders of magnitude, bringing the average time to completion down to, say, a few million years. No one is going to do that; they are going to try to get in through some other means where the complexity of the password doesn't matter.

/The Internet Dog

[cellio]

And what are the odds that the systems the passwords protect would even still be there in a mere few million years? I agree; their policy discourages strong passwords. For other internal systems (without a rotation policy) I've been using the same strong password for years, which I can remember and type easily, for better security.

[goljerp]

I'm mostly here to comment on the 90 day password life. Do the powers that be *want* people to be writing their passwords on post-its, or having passwords like securePasswordn (where n is an integer)? Because that's what I'd guess that policy would do...

(My office wants be back every day; I've been going in 3-4 days in practice; fewer if I have a good reason. I wear the best masks I can, all the time... and eat lunch outside.)

[cellio]

or having passwords like securePasswordn (where n is an integer)

Ding ding ding ding ding. That's what most of us do. It's a stupid policy. (A variant I've heard is to append, e.g. 22q4. I asked this person how a year/quarter suffix meshes with a 90-day policy, and he said that q5 is short.)