office check-in

[cellio]

Before the pandemic, I went to the office every day, as one does. Our office manager did what he could to make it an ok environment, but it has the usual pathologies. Pandemic-induced working from home has been good for me in oh so many ways. I'm fortunate to be at a point in my career where I am quite comfortable telling my employer "I really do insist". (There's some pressure, mild so far.) I'll go to the office if there's a specific reason to, like the group outing we had a few months ago, but most of the people I work with aren't local, so going to the office is social, not productive.

On the day of that outing, I learned -- via a coworker finding out the hard way -- that corporate security disables badges that haven't been used in 90 days. That makes sense, though doing it silently isn't so great. Fortunately for me, I last changed my domain password around the time of that outing, so the "time to change your password" reminder serves double duty.

A few days ago I changed my password, and today I went to the office to wave a badge at a sensor. While I was there I cleared out the last of my personal belongings; demonstrably, I no longer need to keep an umbrella or a spare USB charging cable in my desk drawer there.

Comments

[sine_nomine]

At some point I likely have to return to NYC to open the time capsule clean out my cubicle. Haven't been there in nearly three years, and I shudder to think what's there that didn't get done back then.

[hrj]

My workplace suspends security access after 2 weeks of non-use. It took me a while to discover this since it was years before I was being allocated vacation time in sufficient quantities to be willing to blow two weeks in a single go. Fortunately this is apparent when trying to enter a security gate to the campus, and therefore one is generally still in one's vehicle, which makes it easy to go around to the main gate where the security office is to get it reactivated. (One time, my first day back at work after a long vacation I took the train+shuttle which drops me at the opposite end of the campus from main security. Annoying, but not tragic.)

Recently, when they officially lifted the block on remote workers coming on site regularly (as opposed to for business-critical purposes), there were a lot of reminders that you could check in with security by email in advance to be reactivated. I imagine this reduced the traffic jam at the main gate!

[hudebnik]

My employer (G) started letting people back into the building a little over a year ago, and would like me to be in the office three days a week, but I was averaging less than one day a week, and finding that every time I came in, I spent a good fraction of the day getting my (workstation / password / security key / etc) to work after a long absence.

shalmestere's employer wants three days a week on-site, somewhat more emphatically, but she can get out of one with permission if there's an online conference or publishers' event (which she can watch just as well from our couch as from a cubicle at work, and without wearing earbuds; if she needs to talk, better at home than at the office).

In May or June I had a routine talk with my manager, and he brought up RTO "in case anybody asks me", to which I replied "We have a bunch of vacation travel coming up this summer, and would really rather it not get cancelled by catching COVID," which he thought was a good answer. Since the summer vacation season, I've been going to the office one or two days a week, until I caught COVID a week before Thanksgiving, and then shalmestere caught it. I wasn't hit hard, so I did WFH throughout. shalmestere was hit harder, and took full advantage of the five days' "excused time" (i.e. not coming out of her sick-leave balance) they offered. But now we're both negative, she's supposed to be working again, and she's supposed to be in the office three days this week.

[(Anonymous)]

Forced password changes every 90 days? Ugh. Maybe you can point them at NIST SP 800-63B; I believe NIST was the source of the original "change passwords regularly" recommendation back in what, the 1970s? NIST refers to passwords as "memorized secrets", so section 5.1.1 is the one that applies here. Since a few years ago, per it, passwords should be >= 8 characters (with exceptions that probably don't apply in your situation), systems should allow passwords of at least 64 characters, not impose any other complexity criteria, and NOT require "arbitrary" (specifically exemplified with "periodically") password changes. As a mitigation against long-lived passwords, they instead recommend failure rate limiting, which most systems already do; it's why it takes a few seconds to get back an "incorrect username or password" even though when you type it correctly the system lets you straight in. They also suggest ways to mitigate password reuse.

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

A long, high-entropy password or passphrase that is actually committed to memory is much better from a security point of view than one that has to be changed often and therefore likely won't be as complex simply because people are generally reluctant to have to commit new passwords to memory regularly.

As an example, a six- or seven-word Diceware passphrase provides 77-90 bits' worth of security (12.9 bits per word), which is plenty enough for just about any situation, is often eminently memorable, and takes only a few seconds to type once you have memorized it if you're a decent typist. Suppose someone knows that your password is a seven word Diceware passphrase generated using a particular word list; if they can try a billion possibilities per second (which is a pretty decent rate for an offline attack by a moderately powerful adversary, and completely unreasonably fast for an online attack), it will take the attacker upwards of 40 billion years to go through all possibilities; on average, they'll hit the right one in half that time. 2^90 (possibilities) / 10^9 (attempts per second) / (365*24*60*60) (seconds in a year) ~ 3.9 * 10^10 (years to completion). A highly motivated, powerful adversary might be able to raise that a few orders of magnitude, bringing the average time to completion down to, say, a few million years. No one is going to do that; they are going to try to get in through some other means where the complexity of the password doesn't matter.

/The Internet Dog

[goljerp]

I'm mostly here to comment on the 90 day password life. Do the powers that be *want* people to be writing their passwords on post-its, or having passwords like securePasswordn (where n is an integer)? Because that's what I'd guess that policy would do...

(My office wants be back every day; I've been going in 3-4 days in practice; fewer if I have a good reason. I wear the best masks I can, all the time... and eat lunch outside.)