Re: Stanford break in

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 23 Apr 2004, Bennett Todd wrote:

> Other than that, frequent mandatory password changes are detrimental
> to security. Better to have the password-changing tool use cracklib,
> and offer good random passwords to users who are willing to use
> them, and let them keep using them long enough to amortize the
> higher cost of learning them.

I don't know if you've ever worked in a "union shop," but I've heard
horror stories of "can't remember the passwords" come bargaining time- and
my last employer had a good number of union employees.

> > However, the "conventional wisdom" in the security (and auditor)
> > world seems to be that frequent password changes should be
> > required.
>
> This is definitely a problem; there are a _lot_ of senior security
> managers and people writing security policies who do not have a
> clue, and who think things that piss users off are by definition
> good for security. Nothing much to do but outlive these morons, or
> change jobs; they cannot be taught, and regard attempts to do so as
> personal insults requiring vengeance.

It comes down to not having good, and current risk data, IMO.

> I remember a funny from some years ago, a moderately long list of
> password quality rules, that ended with a note "the only password
> that fits all the above words is ......., you must use it". Wish I
> remembered where I saw it, or what the one secure password was.

If you do recall it, please share it!

Thanks,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards