On 07/22/2011 09:29 AM, Mark McCullough wrote:
On 2011 Jul 22, at 14:01, Tracy Reed wrote:
On Fri, Jul 22, 2011 at 11:25:15AM -0400, Gregory Boyce spake thusly:
If a password is compromised in a non-obvious way, it provides a limit on how
long it could be used.
Generally the account only needs to be compromised once and then horse
is out of the barn. Information stolen, backdoors planted, etc. The
password is typically unneeded by the attacker after the first use. This
is why I've never been a big fan of periodic password changes. Choosing
strong passwords is much more important. And it seems we cannot have
both strong passwords and frequent password changes or users revolt or
find a way to undermine the system.
I'm of the firm opinion that passwords themselves are the problem. We forbid
any user account having a password on a Unix system, and are working to even
implement such on Windows systems. Instead, some form of strong authentication
is utilized. This actually helped reduce our support costs, and simplifies
many things by not having to worry about password complexity requirements
anymore.
The only password I accept is the password of last resort -- root.
SSH keys can be stolen (trojan infected workstation, someone leaves
their laptop unlocked at starbucks, or their desktop unlocked on their
desk) and biometric auth systems can be fooled..I'm rather curious, how
are you securing authentication?
I'm more inclined to look to 2-factor or other multiple stage
authentication. No matter what policies you set or however much
training you provide, people will not stick to good security practices
even in the military. Convenience always trumps security, even though
it shouldn't. Of course the best security is making sure people don't
have access to anything, deny by default, permit grudgingly :)
Paul
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
