On Tuesday 04 July 2006 08:45, Joachim Schipper wrote: > On Mon, Jul 03, 2006 at 09:22:59PM -0700, Jeff Simmons wrote: > > Well, just to play the devil's advocate here ... > > > > One of the main functions of any password hygiene program 'should' be to > > prevent users from changing 'mypassword1' to 'mypassword2' and then > > 'mypassword3', etc. (Yes, we can force complex passwords, but the idea > > is the same.) > > > > It's fairly simple to compare 'newpassword' to 'existingpassword' and > > prevent this sort of behavior (I THINK that's what the -s option to > > passwdqc is for, but the man page is kind of ambiguous and I haven't had > > time to dive into the source yet - pam_passwdqc does it) but then the > > user can just do 'mypassword1', 'mydogsname1', 'mypassword2', > > mydogsname2', etc. and totally invalidate your carefully designed > > security policy. > > > > And hashes aren't gonna help. > > > > Don't get me wrong, I'm not knocking the idea completely. My assignment > > here is that I've been told that in order to get my client certified I > > have to avoid reuse of a password over a cycle of 4 90 day forced > > changes. My JOB is to assure that doing this doesn't open my client up to > > a whole new string of vulnerabilities. Mr. Rock, meet Mr. Hard Place. > > > > "In conclusion the main thing we did wrong ... was to worry about > > criminals being clever; we should rather have worried about our > > customers ... being stupid." Ross Anderson, "Security > > Engineering" > > This suggests a rather fascist, and thus very effective approach: deny > the users the right to create their own passwords, but institute some > scheme that produces strong, but hopefully memorizable passwords. [snip]
Oh Gods. If you do that with normal people, they will put those passwords on PostIts and leave them in "safe" places like monitors. MOST people have real real REAL problems remembering all but some very few passwords. People hate passwords, and even in "secure" institutions (like military environs) they circumvent them. Forcing a password on people results in a secure password, but in unsecure storage methods. We computer folks are weird in that we remember many of them. --STeve Andre'
