Re: Hashing passwords

[Kurt Buff <kurt.buff () gmail com>]

On Wed, Jun 13, 2012 at 2:32 AM, Ansgar Wiechers
<bugtraq () planetcobalt net> wrote:
> On 2012-06-12 Kurt Buff wrote:
> > On Tue, Jun 12, 2012 at 11:30 AM, Kai Wirt <u-turn1 () gmx de> wrote:
> > > > Just also revise enforcing password changing rules (every after 30
> > > > days) on your site and strong passwords(no less then 8 characters,
> > > > special characters, upper cases,numbers and symbols) , this helps
> > > > when attackers try brute forcing, so by the time they crack the
> > > > password its no longer in use...
> > >
> > > There's an interesting paper on this topic:
> > >
> > > http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf
> > >
> > > In short, most of the password rules employed today are mostly
> > > annoying to users and don't really improve security.
> >
> > That paper is deeply flawed, if not outright wrong, and borders on the
> > pernicious.
> >
> > The end-user externality not considered by them is the cost to clean
> > up an incident in an organization by IT staff after someone picks the
> > dancing pigs over the secure way of doing things.
>
> I have to disagree. If you carefully re-read the paper, you'll notice
> that the author does include clean-up in the end-user externalities.
> Whether the clean-up is done by the user himself or someone else in his
> place matters little in this respect.

I have read the paper several times - I still believe that they don't
correctly consider those costs. If they have published the numbers, I
didn't see them.

> > If more staff were fired or otherwise disciplined after it was proved
> > that they had gotten their company PC infected by navigating to
> > non-work-related web sites (or performing their work in an unsafe
> > manner against advice), we'd have a much better security environment -
> > and the discipline must also apply to C-level execs, as the data they
> > handle are even more precious than some staffer in shipping.
> >
> > I've personally cleaned up malware from the CxO's machines at $WORK,
> > multiple times, because they a) won't pay attention to my
> > recommendations for handling web sites and email and b) won't let me
> > block or quarantine executables and suspect documents at the gateways
> > that are designed to handle them.
>
> Actually, no, that wouldn't help much. People are very good at ignoring
> risk that isn't imminent. Also, as annoying as it may be, CxO people are
> the people paying the bills, so they do get to make the final decision.
> Yes, they do set a bad example by doing so, but that can't be helped if
> they won't listen to reason.
>
> It's my observation that security measures usually only work well when
> either the users clearly understand (and acknowledge) the risks and
> benefits, or the measures don't get in the way of their daily work
> (much). If security measures become a hassle without apparent benefits,
> the *will* be ignored/circumvented. Adding more threats is unlikely to
> change anything about that.

That's why making the risk of discipline imminent and real is
imperative - though I agree that better user education needs to be
instituted, but getting time and money budgeted for that is also
nearly impossible.

Of course, ultimately this is a vendor and IT and management failure,
in a very real sense. For instance, on the part of IT and management,
there usually are not policies or technology in place that restrict
access for users to least-privilege levels, and the lack of resolve to
cast out products that are poorly written. Vendors, of course, still
write crap code, because they can get away with it.

Kurt

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------