Re: Passwords & Passphrases

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

On Nov 19, 2007, at 8:32 PM, Peters, Kevin wrote:
> Here is my question - does anyone have the data on how many times a
> hack (attack) has occurred associated to breaking the "launch codes"
> from outside of the organization?  The last information I gleaned
> from the FBI reports (several years ago) indicated that 70 percent
> of hackings (attacks) were internal.
>
> My most recent experience with intrusions has had nothing to do with
> a compromised password, rather an exploit of some vunerability in
> the OS, database, or application.

I track these things, and I cannot recall the last time I saw any
report of an incident caused by a guessed password.  Most common
incidents are phishing, trojans, snooping, physical theft of sensitive
media, and remote exploitation of bugs.

People devote huge amounts of effort to passwords because it is one of
the few things they think they can control.

Picking stronger passwords won't stop phishing.  It won't stop users
downloading trojans.  It won't stop capture of sensitive
transmissions.   It won't bring back a stolen laptop (although if the
laptop has proper encryption it *might* protect the data).   And
passwords won't ensure that patches are in place but flaws aren't.

Creating and forcing strong password policies is akin to being the
bosun ensuring that everyone on the Titanic has locked their
staterooms before they abandon ship.  It doesn't stop the ship from
sinking or save any lives, but it sure does make you look like you're
doing something important.....