Security Basics mailing list archives
Re: Hashing passwords
From: Kurt Buff <kurt.buff () gmail com>
Date: Tue, 12 Jun 2012 16:07:46 -0700
On Tue, Jun 12, 2012 at 11:30 AM, Kai Wirt <u-turn1 () gmx de> wrote:
Just also revise enforcing password changing rules (every after 30 days) on your site and strong passwords(no less then 8 characters, special characters, upper cases,numbers and symbols) , this helps when attackers try brute forcing, so by the time they crack the password its no longer in use...There's an interesting paper on this topic: http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf In short, most of the password rules employed today are mostly annoying to users and don't really improve security.
That paper is deeply flawed, if not outright wrong, and borders on the pernicious. The end-user externality not considered by them is the cost to clean up an incident in an organization by IT staff after someone picks the dancing pigs over the secure way of doing things. If more staff were fired or otherwise disciplined after it was proved that they had gotten their company PC infected by navigating to non-work-related web sites (or performing their work in an unsafe manner against advice), we'd have a much better security environment - and the discipline must also apply to C-level execs, as the data they handle are even more precious than some staffer in shipping. I've personally cleaned up malware from the CxO's machines at $WORK, multiple times, because they a) won't pay attention to my recommendations for handling web sites and email and b) won't let me block or quarantine executables and suspect documents at the gateways that are designed to handle them. Kurt ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Hashing passwords haZard0us (Jun 11)
- Re: Hashing passwords Ansgar Wiechers (Jun 11)
- Re: Hashing passwords Rory Browne (Jun 11)
- RE: Hashing passwords Liam Randall (Jun 12)
- Re: Hashing passwords martin . mngoma (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Kurt Buff (Jun 12)
- Re: Hashing passwords Ansgar Wiechers (Jun 13)
- Re: Hashing passwords Kurt Buff (Jun 13)
- Re: Hashing passwords Alexander Klimov (Jun 13)
- Re: Hashing passwords Rory Browne (Jun 11)
- RE: Hashing passwords Mikhail A. Utin (Jun 13)
- Re: Hashing passwords Kai Wirt (Jun 13)
- Re: Hashing passwords Ansgar Wiechers (Jun 11)
- Re: Hashing passwords gold flake (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Message not available
- Re: Hashing passwords Jennifer Wachter (Jun 12)