Re: Education End Users about Passwords - Was - RE: john the ripper

[Byron Sonne <blsonne () rogers com>]

> End User education is the greatest defense.

End user education is almost completely useless when it comes to 
passwords. Unless you live in a land where users are sensible ;)

I'm not just aimlessly capping on user communities; I've been an admin 
for over 10 years now in various places and people are all the same when 
it comes to passwords. That is to say that pretty much everyone sucks at 
password hygiene.

There's no way around this; all it takes is one day when they're in a 
rush and they're forced to change their password... so they write it 
down. From there a habit is formed. Next one gets written down. Perhaps 
someone nearby notices where they write them, and they get copied and/or 
passed around.

Make them too long, people write them down. Too short, they're easily 
cracked or guessed. Frequent password expiration? they get written down 
again. Infrequent? that's a security issue. Checked against a database 
of easily cracked passwords? they get written down. Forced inability to 
reuse patterns (ie. jan1a, feb2b, mar3c, etc.)? They get written down.

The only viable solution, in my opinion, is the use of some kind of 
token (a la SecureID) or biometrics (not fingerprint based, those are 
way too easy to fool). With tokens they can keep a more comfortable 
password and change it on a more comfortable basis, and it doesn't 
matter too much if it gets cracked since they still need to append the 
token information to the end of the password to authenticate. Facial 
recognition is unreliable. Eye scans are good, although I don't want to 
have to worry about someone ripping out my eyeballs to crack a system ;)

Cheap, easy, secure... pick two :)

---------------------------------------------------------------------------
----------------------------------------------------------------------------