On 2012-01-03 8:37 PM, David Ford <da...@blue-labs.org> wrote:
part of my point along that of brute force resistance, is that
when security becomes onerous to the typical user such as requiring
non-repeat passwords of "10 characters including punctuation and mixed
case", even stalwart policy followers start tending toward avoiding it.
Our policy is that we also don't force password changes unless/until
there is a reason (an account is hacked/abused.
I've been managing this mail system for 11+ years now, and this has
*never* happened (knock wood). I'm not saying we're immune, or it can
never happen, I'm simply saying it has never happened, so out policy is
working as far as I'm concerned.
if anyone has a stressful job, spends a lot of time working, missing
sleep, is thereby prone to memory lapse, it's almost a sure guarantee
they *will* write it down/store it somewhere -- usually not in a
password safe.
Again - there is no *need* form them to write it down. Once their
workstation/home computer/phone is set up, it remembers the password for
them.
or, they'll export their saved passwords to make a backup plain text
copy, and leave it on their Desktop folder but coyly named and
prefixed with a few random emails to grandma, so mr. sysadmin doesn't
notice it.
And if I don't notice it, no one else will either, most likely.
There is *no* perfect way, but ours works and has been working for 11+
years.
on a tangent, you should worry about active brute force attacks.
fail2ban and iptables heuristics become meaningless when the brute
forcing is done by bot nets which is more and more common than
single-host attacks these days. one IP per attempt in a 10-20 minute
window will probably never trigger any of these methods.
Nor will it ever be successful in brute forcing a strong password
either, because a botnet has to try the same user+different passwords,
and is easy to monitor for an excessive number of failures (of the same
user login attempts) and notify the sys admin (me) well in advance of
the hack attempt being successful.
--
Best regards,
Charles
