At 15:35 2017-05-05, Ken Dibble <[email protected]> wrote:
[snip]
Read the article. The data does not support the contention that
these are important enough vectors to justify the downside that
these recommendations have for users.
I did read the article. I do not agree with it.
Anybody who's got a dictionary, by now, also has a brute-force
"guessing machine" and a botnet. Yup, they get through the
dictionary in a few seconds. Within only a few more minutes, the
botnet loops through every possible combination of characters in a
10-character password, and then they move on to 11 characters. The
only thing that slows them down at all is a much longer password,
and the only really effective defense involves measures on the
server side. There is very little that a user can do to a password
to make it significantly safer in the modern age, and there is huge
amount of aggravation that can be caused to users over passwords
that, in the end, has very little benefit.
Not putting a password on a Post-It Note is not a total
solution, but it is the equivalent of not putting the house key under
the mat. Would you put your house key under the mat? I suspect that
answer would be a resounding no.
Just because there is no ultimate solution does not mean we
should ignore things that can help.
This isn't just me, or just me and O'Reilly. Now it's me, O'Reilly,
and the NIST.
Of course, I know, I'm a low-status person. No matter how right I
am. or how often I am right, nobody listens to me until a
high-status person repeats what I said.
I am just enjoying the gratification of being proven right.
No, of someone agreeing with you.
There have been proclamations before about solutions to the
password problem. I think they are premature.
Look, I know that keeping track of passwords is a bother, but
if access to something matters, changing your password occasionally
is a good idea for the reason I stated. Pick a password that you can
remember. I do not have a solution for the cognitive load of having
[too] many passwords.
set silly on
Hey, maybe we can have cameras watching for body motions as
passwords. Since throwing up one's hands about the password problem
is not workable, throwing up one's hands can be the new equivalent of
having a password of "PASSWORD".
set silly off
Sincerely,
Gene Wirchenko
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/7b56c6dfa4c00c7e41261566e75cdfe9@mtlp000085
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
