Firewall Wizards mailing list archives
Re: Stanford break in
From: "Paul D. Robertson" <paul () compuwar net>
Date: Fri, 23 Apr 2004 16:27:07 -0400 (EDT)
On Fri, 23 Apr 2004, Bennett Todd wrote:
Other than that, frequent mandatory password changes are detrimental to security. Better to have the password-changing tool use cracklib, and offer good random passwords to users who are willing to use them, and let them keep using them long enough to amortize the higher cost of learning them.
I don't know if you've ever worked in a "union shop," but I've heard horror stories of "can't remember the passwords" come bargaining time- and my last employer had a good number of union employees.
However, the "conventional wisdom" in the security (and auditor) world seems to be that frequent password changes should be required.This is definitely a problem; there are a _lot_ of senior security managers and people writing security policies who do not have a clue, and who think things that piss users off are by definition good for security. Nothing much to do but outlive these morons, or change jobs; they cannot be taught, and regard attempts to do so as personal insults requiring vengeance.
It comes down to not having good, and current risk data, IMO.
I remember a funny from some years ago, a moderately long list of password quality rules, that ended with a note "the only password that fits all the above words is ......., you must use it". Wish I remembered where I saw it, or what the one secure password was.
If you do recall it, please share it! Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Stanford break in, (continued)
- RE: Stanford break in Richard . Bertolett (Apr 22)
- RE: Stanford break in Ames, Neil (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Stewart, John (Apr 23)
- Re: Stanford break in Adam Shostack (Apr 23)
- Re: Stanford break in Bennett Todd (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 23)
- Re: Stanford break in m (Apr 28)
- RE: Stanford break in Bill Royds (Apr 23)