RE: Password creating Theories

["Bob Kurth" <Bob.Kurth () fcserv com>]

In response to the earlier email from Andrew, I went to the link and
looked at the sample pages from the book.  They were full of great
suggestions, some of which I had not thought of previously myself.  I'd
like to see the whole book after what I read in the sample.  
The key thing for all of us to remember is that our password policies
must be geared to the abilities of the lowest intelligence end user.  It
is hard to understand just how low that can go until you get there.
Even if you can force a stronger password by increasing complexity
requirements, the end user still has to be able to remember it.  A
strong password policy becomes a detriment if it causes the HelpDesk to
be inundated with calls from end users who, because of password
complexity requirements, can't seem to pick a really good one they can
remember.  The complexity requirements should be supplemented with a set
of examples to spur the imagination, and I can happily say that what I
read does just that.  
If you're in a place where you cannot move management off the dime to
agree to stronger complexity requirements, you can't improve the
security posture of the organization.  End users can rise to the
occasion IF they have the tools....in this case a series of demonstrable
methods.  I tend to shy away from password generators because, even
though they follow the rule set, their results are not often logical or
rememberable (is that a real word?) for the end user.  
This has been a good thread with good ideas.


Robert Kurth, CISSP

-----Original Message-----
From: Andrew Williams [mailto:Andrew () Syngress com] 
Sent: Tuesday, November 15, 2005 3:35 PM
To: Saqib Ali
Cc: Jennifer Fountain; security-basics () securityfocus com
Subject: RE: Password creating Theories

When I first started discussing the book with the author (Mark Burnett),
I thought a whole book on the topic seemed a bit much as well. But, the
more I saw of Mark's manuscript, the more intrigued/interested I became
in the idea. 

The book is relatively short, 200 pages total. So, we realized this
couldn't be a door stop. The book is for both sys admins/infosec pros as
well as users. One of the book's primary goals is to provide admins w/
strategies and polices they can convey to their users so that users will
consistently create strong passwords that they can actually remember as
well. 

It is also kind of a fun read with interesting facts, stats, etc.; like
the 500 worst passwords of all time, etc.

Best,
A

> -----Original Message-----
> From: Saqib Ali [mailto:docbook.xml () gmail com] 
> Sent: Tuesday, November 15, 2005 4:18 PM
> To: Andrew Williams
> Cc: Jennifer Fountain; security-basics () securityfocus com
> Subject: Re: Password creating Theories
>
> having a whole book dedicated to Password building seems an 
> overkill....
>
> who will be the target audience?
>
> On 11/15/05, Andrew Williams <Andrew () syngress com> wrote:
> > We're actually about to publish a book on ideas/strategies for 
> > building passwords and password policies. We have a sample chapter 
> > available on
>
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/blog/
> Consensus is good, but informed dictatorship is better.