Security Basics mailing list archives
Re: Hashing passwords
From: Kurt Buff <kurt.buff () gmail com>
Date: Wed, 13 Jun 2012 13:08:57 -0700
On Wed, Jun 13, 2012 at 2:32 AM, Ansgar Wiechers <bugtraq () planetcobalt net> wrote:
On 2012-06-12 Kurt Buff wrote:On Tue, Jun 12, 2012 at 11:30 AM, Kai Wirt <u-turn1 () gmx de> wrote:Just also revise enforcing password changing rules (every after 30 days) on your site and strong passwords(no less then 8 characters, special characters, upper cases,numbers and symbols) , this helps when attackers try brute forcing, so by the time they crack the password its no longer in use...There's an interesting paper on this topic: http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf In short, most of the password rules employed today are mostly annoying to users and don't really improve security.That paper is deeply flawed, if not outright wrong, and borders on the pernicious. The end-user externality not considered by them is the cost to clean up an incident in an organization by IT staff after someone picks the dancing pigs over the secure way of doing things.I have to disagree. If you carefully re-read the paper, you'll notice that the author does include clean-up in the end-user externalities. Whether the clean-up is done by the user himself or someone else in his place matters little in this respect.
I have read the paper several times - I still believe that they don't correctly consider those costs. If they have published the numbers, I didn't see them.
If more staff were fired or otherwise disciplined after it was proved that they had gotten their company PC infected by navigating to non-work-related web sites (or performing their work in an unsafe manner against advice), we'd have a much better security environment - and the discipline must also apply to C-level execs, as the data they handle are even more precious than some staffer in shipping. I've personally cleaned up malware from the CxO's machines at $WORK, multiple times, because they a) won't pay attention to my recommendations for handling web sites and email and b) won't let me block or quarantine executables and suspect documents at the gateways that are designed to handle them.Actually, no, that wouldn't help much. People are very good at ignoring risk that isn't imminent. Also, as annoying as it may be, CxO people are the people paying the bills, so they do get to make the final decision. Yes, they do set a bad example by doing so, but that can't be helped if they won't listen to reason. It's my observation that security measures usually only work well when either the users clearly understand (and acknowledge) the risks and benefits, or the measures don't get in the way of their daily work (much). If security measures become a hassle without apparent benefits, the *will* be ignored/circumvented. Adding more threats is unlikely to change anything about that.
That's why making the risk of discipline imminent and real is imperative - though I agree that better user education needs to be instituted, but getting time and money budgeted for that is also nearly impossible. Of course, ultimately this is a vendor and IT and management failure, in a very real sense. For instance, on the part of IT and management, there usually are not policies or technology in place that restrict access for users to least-privilege levels, and the lack of resolve to cast out products that are poorly written. Vendors, of course, still write crap code, because they can get away with it. Kurt ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Hashing passwords haZard0us (Jun 11)
- Re: Hashing passwords Ansgar Wiechers (Jun 11)
- Re: Hashing passwords Rory Browne (Jun 11)
- RE: Hashing passwords Liam Randall (Jun 12)
- Re: Hashing passwords martin . mngoma (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Kurt Buff (Jun 12)
- Re: Hashing passwords Ansgar Wiechers (Jun 13)
- Re: Hashing passwords Kurt Buff (Jun 13)
- Re: Hashing passwords Alexander Klimov (Jun 13)
- Re: Hashing passwords Rory Browne (Jun 11)
- RE: Hashing passwords Mikhail A. Utin (Jun 13)
- Re: Hashing passwords Kai Wirt (Jun 13)
- Re: Hashing passwords Ansgar Wiechers (Jun 11)
- Re: Hashing passwords gold flake (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Message not available
- Re: Hashing passwords Jennifer Wachter (Jun 12)
- RE: Hashing passwords Dave Kleiman (Jun 12)