Firewall Wizards mailing list archives
Re: Stanford break in
From: Bennett Todd <bet () rahul net>
Date: Fri, 23 Apr 2004 18:50:27 +0000
2004-04-23T15:33:10 Stewart, John:
It has always been my opinion that forcing a new password more often than once a year or so is counter-productive.
Agreed, with one minor wibble: such user-hostile policies can sometimes be a helpful band-aid for totally broken account removal procedures; if you've got huge piles of stale accounts, a frequent automated lockout-if-not-changed can be at least a little help in limiting the extent of the problem; and stale accounts can be a worse problem than poor passwords written down on sticky notes. Other than that, frequent mandatory password changes are detrimental to security. Better to have the password-changing tool use cracklib, and offer good random passwords to users who are willing to use them, and let them keep using them long enough to amortize the higher cost of learning them.
However, the "conventional wisdom" in the security (and auditor) world seems to be that frequent password changes should be required.
This is definitely a problem; there are a _lot_ of senior security managers and people writing security policies who do not have a clue, and who think things that piss users off are by definition good for security. Nothing much to do but outlive these morons, or change jobs; they cannot be taught, and regard attempts to do so as personal insults requiring vengeance.
I'm curious how others have handled this.
Ignore it, or leave. BTW, here's a nice litmus test for so-called "password quality" rules: how likely are they to reject a password picked purely uniformly randomly from the printables? If that's anything more than fantastically unlikely, these quality rules are forcing use of poorer passwords by limiting the available password space. I remember a funny from some years ago, a moderately long list of password quality rules, that ended with a note "the only password that fits all the above words is ......., you must use it". Wish I remembered where I saw it, or what the one secure password was. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: Stanford break in, (continued)
- Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Richard . Bertolett (Apr 22)
- RE: Stanford break in Ames, Neil (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Stewart, John (Apr 23)
- Re: Stanford break in Adam Shostack (Apr 23)
- Re: Stanford break in Bennett Todd (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 23)
- Re: Stanford break in m (Apr 28)
- RE: Stanford break in Bill Royds (Apr 23)