Password Complexity, Good or bad?

Dashrender

@scottalanmiller said:

Part of the issue here is that this is for non-employee access. We assume, to some degree, that employees have some amount of company provided equipment already. But non-employees, that's no longer a reasonable assumption.

From a hospital perspective, sure. But those staff do work somewhere, otherwise they wouldn't have access at all. And that other employer is providing some equipment, in this case the PCs.. not the phones or any phone stipend.

stacksofplates

@Dashrender said:

@DustinB3403 said:

@Dashrender I would agree with management on this as well. If they aren't already paying for employees phones, it's much easier to manage a keyfob and access that way.

But it makes the employee have to keep track of 1 more item. But the headache of managing cell phones for as many people as you're describing seems to be way more painful.

Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.
those who don't have a cell phone, we'll provide a fob.

But even if we did go so far as to pay employees for cell phone use, we should just pay them a pure stipend of $5-10 a month. If someone wants to contest how much we are costing them.. I would encourage them to bring in their phone bill and we could sit down and figure the cost the employee was incurring because of these phone calls. Often it would be zero because the employees have huge number min plans and the added use of 20 or less mins a month wouldn't even be noticed... but even if you skip the flat rate large mins setup.. and simply say bill divided by mins (which is unfair to the employer because most of them have data and it wouldn't take data usage into account) and figured a per min value, I suppose it's possible, even likely that the above stated 20 mins would be more expensive than $10 a month... but all other caveats still apply and really don't make that a business tenable setup.

Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).

scottalanmiller

@Dashrender said:

Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.

How far does that go? They have to provide a car, computer, etc.? It's a tough one, and it crosses legal lines if you have to protect data. For purely 2FA if the call is fully free, it's not bad. But do you really limit it to those times, and make sure you never interrupt them while sleeping, travelling, vacation, etc.? It introduces a lot of issues.

While I know that nearly everyone does it, I don't like it. Or as an option, never as a requirement.

scottalanmiller

@johnhooks said:

Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).

That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."

You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.

If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?

Dashrender

@scottalanmiller said:

@Dashrender said:

Managing cell phones? LOL - I'm of the opinion... guess what folks, you're job has changed - if you already have a cell phone, you will be required to use it for work - to take a call for 2FA. Period. but that's just me - the a$$hole.

How far does that go? They have to provide a car, computer, etc.? It's a tough one, and it crosses legal lines if you have to protect data. For purely 2FA if the call is fully free, it's not bad. But do you really limit it to those times, and make sure you never interrupt them while sleeping, travelling, vacation, etc.? It introduces a lot of issues.

While I know that nearly everyone does it, I don't like it. Or as an option, never as a requirement.

I suppose I could easily be convinced to make it optional, but if you choose to use your own device, you're getting no money from me.

Can I ensure the phone won't be calling them while sleeping/travelling/vacation - yeah, assuming they aren't trying to log in during those times LOL. Yes it would be limited to 2FA only.

Currently the staff, on their own - just like at any business - are using their phones to talk to each other either voice or text all the time. In fact they use it when it's completely inappropriate at time - like texting patient information. Short of employment contract saying that we can monitor their self provided phones, we can't really stop it.

Dashrender

@scottalanmiller said:

@johnhooks said:

Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).

That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."

You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.

If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?

This is a hard one for me.. I see both sides of this fence. I'm not sure which way is right. I suppose a contract would be needed to clarify it.

stacksofplates

@scottalanmiller said:

@johnhooks said:

Ha this reminds me of the weirdos in FL that if their service went down for 30 minutes they would want a full month's refund. When in reality it cost them about $0.07 (if they had a$100 a month bill).

That's not how it works, though. They didn't pay for "all but 30 minutes". What if it was during that 30 minutes that they needed to use the phone? One person's "that doesn't affect them" could be "that was down for the whole month for me."

You can't assume that the service has equal value for the whole month. What if you had a financial trading system and it was down for five minutes. You say... what, five minutes out of a month, that's nothing. They say... but we lost five million in traders (more than the service fee) and thousands of customers.

If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?

That's not comparable. These were homes who lost TV service for 30 minutes.

If you know you could lose $5 million in 5 minutes, you would have some kind of secondary system in place and not rely on a home cable service.

If you are paying for something to be there and it isn't, you didn't get what you paid for. What if you bought a Big Mac and they "only" left out the burger (actually, that's how I get it.) Would you be okay paying 75% because only one little ingredient was missing?

Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.

scottalanmiller

@johnhooks said:

That's not comparable. These were homes who lost TV service for 30 minutes.

If you know you could lose $5 million in 5 minutes, you would have some kind of secondary system in place and not rely on a home cable service.

It's very comparable. What if they pay for television specifically for the show that was on at that time and the rest of the month you just pay because it is the only way to get that one show.

How is it any different? If you pay for a service for a purpose and it does not fulfil the purpose, should you have to pay? That's up to the SLA, of course. But the question is, you buy X they provide Y. Someone on the outside can claim that Y is equal, better or good enough, but that's an emotional reaction to how they would use X, not how the purchaser intended it.

What if I get power that never goes off during the day but often goes out at night... when I need my CPAP to work. I'm paying the same power as people who are home during the day, but I need it at night. Would you say "well, but they need it during the day so you don't need it at night?"

Dashrender

@johnhooks said:

Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.

But to Scott's point, those 30 mins are much more important than say 30 mins during the middle of the night (or whenever the customer is sleeping/not using the system).

Assuming the average house hold has the TV on from 5 PM - 11 PM M-F and 9 AM - 11 PM Sat & Sun, the percentage of loss goes up by more than 50%.

scottalanmiller

@johnhooks said:

Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.

The percentage simply doesn't matter. That's a red herring, mostly. Yes, "most" of the service was delivered. But was the part that they paid for delivered? What if you only watch 30 minutes of television a month? Did they lose .001% or 100%?

stacksofplates

@scottalanmiller said:

@johnhooks said:

Also not the same. If they lost 25% of the service they paid for then that's understandable. That's the equivalent of 7.5 days. We are talking about .001% of their service. That's like saying you want the whole Big Mac free because they only gave you 3.5 pickles instead of 4.

The percentage simply doesn't matter. That's a red herring, mostly. Yes, "most" of the service was delivered. But was the part that they paid for delivered? What if you only watch 30 minutes of television a month? Did they lose .001% or 100%?

Their perception was 100% loss, but the service was still only a .001% loss. They are paying for the service as a whole, not the amount of time they will use it.

scottalanmiller

@Dashrender said:

Assuming the average house hold has the TV on from 5 PM - 11 PM M-F and 9 AM - 11 PM Sat & Sun, the percentage of loss goes up by more than 50%.

Right, and to the "average" user, it is a trivial outage. But to someone, it is a significant one.

What about those of us who paid for Netflix and wanted to do special Christmas movie viewing on Christmas Eve two years ago and the service went out for the day. Sure, one day outage, but it was a special day where people were scheduling things around the service availability. I'm not saying that Netflix should refund the month or that people should be mad.. I'm just saying that the percentage of time that you are down does not equate to the percentage of service value that is lost.

Think about a pace maker that keeps you alive 99% of the time. Is it worth 99% the price of a better one?

scottalanmiller

@johnhooks said:

Their perception was 100% loss, but the service was still only a .001% loss. They are paying for the service as a whole, not the amount of time they will use it.

That's your perception, but you cannot know what they were buying it for. The percentage of downtime does not tell us anything about the percentage of service lost.

What if you paid for backups and they only lost one file out of thousands. What if it was your database file? You'd say "well, I should only get a few cents back because only one file was lost"?

scottalanmiller

Another example... you pay for television and it turns out that it only works during business hours or the middle of the night. 50% of the time. You can never use it during the morning or evening hours. So anytime you are not at work, it is off.

Did you get 50% of the service? Or did you get zero? Because you were only buying it for the times that you could use it.

Dashrender

Of course - non of this matters. The SLA of the service should dictate what the vendor has to provide during service outages.

If the vendor says, sorry sir.. you get nothing because our SLA says you get nothing for an outage less than 24 hours... the vendor simply hopes that the customer won't leave them.

scottalanmiller

Or how about a service bundle...

You pay X for television and Internet together. You only need Internet, it is all that you care about, but the television was bundled in for free so you got that as well, it was free (or really cheap.) Now that you are locked in and paying... turns out, no Internet available in your area. But there IS television. Now they give you a 50% discount since the Internet is not available. You are getting 50% of what you paid for in one way but 0% of what you actually were paying for.

When things come together (bundles, time, etc.) you cannot make statements about what portions are the free portions and which parts are the ones being paid for, because it is one thing and that one thing was not delivered, something else was. If that something else was good enough, is up to no one but the consumer. No one else has the capability of knowing.

scottalanmiller

@Dashrender said:

Of course - non of this matters. The SLA of the service should dictate what the vendor has to provide during service outages.

If the vendor says, sorry sir.. you get nothing because our SLA says you get nothing for an outage less than 24 hours... the vendor simply hopes that the customer won't leave them.

Unless there is a monopoly in which case an SLA should be illegal.

scottalanmiller

The problem with an SLA is that it is non-optional in these cases. The SLA doesn't change what was paid for or what was delivered or what is ethically owed to whom... it's purely a means of proactively hurting the consumer via the law, the law being the enemy of the citizenry in this case. There isn't an option for an SLA around what the consumer was buying the service for, the SLA is part of the service and so legally is an SLA but ideologically is not, it's just what there is. The consumer has no option but to agree to it in order to hope to get the service that they want.

Dashrender

@scottalanmiller said:

@Dashrender said:

Of course - non of this matters. The SLA of the service should dictate what the vendor has to provide during service outages.

If the vendor says, sorry sir.. you get nothing because our SLA says you get nothing for an outage less than 24 hours... the vendor simply hopes that the customer won't leave them.

Unless there is a monopoly in which case an SLA should be illegal.

What does that gain you? The ability to sue? In a consumer case like this, you'll have a hard time showing losses for more than the mins that John's talking about.

scottalanmiller

@Dashrender said:

What does that gain you? The ability to sue? In a consumer case like this, you'll have a hard time showing losses for more than the mins that John's talking about.

Losses are pretty easy to show... it's the amount paid. If you pay $100 and don't get to watch the television that you paid for, it is the amount of the service that is in dispute.