At 10:17 2017-05-05, Ken Dibble <[email protected]> wrote:
What I've been saying for years ....
From the O'Reilly Security Newsletter:
https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/
1. Forcing people to frequently change passwords is not helpful. It
just makes it more likely that they will stick the password on a
Post-IT on their monitors because they can't remember it.
It does help some. If someone has your password but has not
changed it, because it would alert you, and you change your password,
he no longer has access. (Yes, he could possibly break in
again.) If security is upped on the system he has access to and he
has your password, the security improvement does not help you at all.
2. Imposed password complexity does not help either (As I keep
telling people, the only way that a user can make his/her password
harder to "guess" in the modern age is to make it longer. It is just
as easy for a brute-force botnet application to "guess"#51aQ4@5)?"
as it is to guess "YourMomma!")
What about a dictionary attack? dictionary.com has both "your"
and "momma", but it does not have "#51aQ4@5)?".
Maybe I should start my own security newsletter....
Sincerely,
Gene Wirchenko
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/800fe50c812a9c1b77fac7a2b14403b3@mtlp000085
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
