Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: "Proactive" Password Checking

From: "Anton J Aylward" <anton () the-wire com>
Date: Fri, 5 Nov 1999 12:15:45 -0500
Fred Cohen wrtote the definitive article on this:
http://all.net/journal/netsec/9709.html
"Change Your Password – Doe See Doe"

/anton aylward


-----Original Message-----
From: Rick Smith
Sent: Friday, November 05, 1999 10:41 AM

In my experience, if you force people to use complicated, hard to remember
passwords, and you force them to change them often, then a nonzero
percentage will start writing their passwords down. Given that, you should
modify user security policies and procedures to identify relatively safe
ways of writing the passwords down.

So you have to decide whether the bigger risk is an attack by someone with
a password cracker or theft of a piece of paper with someone's password.

If you really, really want to have hard to crack passwords and you want to
avoid having them in writing, then leave passwords in place for a year or
more at a time. That gives people a chance to memorize them. Once
memorized, the pieces of paper will start to disappear, reducing the risk
of one being found.
Previous By Date Next
Previous By Thread Next

Current thread: