1. Forcing people to frequently change passwords is not helpful. It
just makes it more likely that they will stick the password on a
Post-IT on their monitors because they can't remember it.
It does help some. If someone has your password but has not
changed it, because it would alert you, and you change your
password, he no longer has access. (Yes, he could possibly break
in again.) If security is upped on the system he has access to and
he has your password, the security improvement does not help you at all.
2. Imposed password complexity does not help either (As I keep
telling people, the only way that a user can make his/her password
harder to "guess" in the modern age is to make it longer. It is
just as easy for a brute-force botnet application to
"guess"#51aQ4@5)?" as it is to guess "YourMomma!")
What about a dictionary attack? dictionary.com has both
"your" and "momma", but it does not have "#51aQ4@5)?".
Maybe I should start my own security newsletter....
Read the article. The data does not support the contention that these
are important enough vectors to justify the downside that these
recommendations have for users.
Anybody who's got a dictionary, by now, also has a brute-force
"guessing machine" and a botnet. Yup, they get through the dictionary
in a few seconds. Within only a few more minutes, the botnet loops
through every possible combination of characters in a 10-character
password, and then they move on to 11 characters. The only thing that
slows them down at all is a much longer password, and the only really
effective defense involves measures on the server side. There is very
little that a user can do to a password to make it significantly
safer in the modern age, and there is huge amount of aggravation that
can be caused to users over passwords that, in the end, has very
little benefit.
This isn't just me, or just me and O'Reilly. Now it's me, O'Reilly,
and the NIST.
Of course, I know, I'm a low-status person. No matter how right I am.
or how often I am right, nobody listens to me until a high-status
person repeats what I said.
I am just enjoying the gratification of being proven right.
Ken
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/E1.DD.03288.67DFC095@cdptpa-omsmta01
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
