1 |
Mark Rudholm wrote: |
2 |
|
3 |
>On Tue, 2006-01-17 at 20:31 +0100, Paweł Madej wrote: |
4 |
> |
5 |
> |
6 |
>>-----BEGIN PGP SIGNED MESSAGE----- |
7 |
>>Hash: SHA1 |
8 |
>> |
9 |
>>Mark Rudholm wrote: |
10 |
>> |
11 |
>> |
12 |
>>>Benjamin Smee (strerror) wrote: |
13 |
>>> |
14 |
>>>I feel compelled to point out that 8-character passwords, |
15 |
>>>no matter their composition, aren't really that strong |
16 |
>>>anymore. Also, forcing users to use special characters |
17 |
>>>and change passwords frequently only guarantees that they |
18 |
>>>will write them down, often not in secure places. |
19 |
>>> |
20 |
>>>You might consider having users use longer passwords |
21 |
>>>(a passphrase). They're easier for a user to remember, |
22 |
>>>so they're less likely to write them down. They're also |
23 |
>>>far more resistant to brute force attacks and guessing. |
24 |
>>>Also consider that if you require two capital letters, |
25 |
>>>2 numbers, and 2 special characters, you've just reduced |
26 |
>>>the number of possible 8-character passwords quite |
27 |
>>>significantly. |
28 |
>>> |
29 |
>>> |
30 |
>>In some case yes, but you have to take into acount that [a-zA-Z0-9] and |
31 |
>>special signs that is very big volume of possible combinations. In this |
32 |
>>case I think that it is much more secure than 12 [a-zA-Z] password which |
33 |
>> could be named passphrase. |
34 |
>> |
35 |
>> |
36 |
>> |
37 |
>>>It's usually very easy for a user to remember something |
38 |
>>>like 'My child flies kites.' but if you make them use |
39 |
>>>things like '^3!kX$1a' and force changes every couple |
40 |
>>>of months, they *will* write it on a post-it note and |
41 |
>>>stick it in their desk drawer or on their display. |
42 |
>>> |
43 |
>>> |
44 |
> |
45 |
>As random as that example password I used was, it doesn't |
46 |
>meet your critieria for a 'strong password' (it doesn't have |
47 |
>two capital letters). |
48 |
> |
49 |
> |
50 |
> |
51 |
>>In this case I have to say that it is 100% right because users are very |
52 |
>>lazy, they don't want to think. Social effect is the biggest hole in |
53 |
>>every security. |
54 |
>>So I what you propose Mark? Setting only minimum lenght to 12 ? 15 signs |
55 |
>>and leave users to choose which signs they want to use to make their |
56 |
>>passphrase? |
57 |
>> |
58 |
>> |
59 |
> |
60 |
>Well, if I were designing a password policy, I'd probably set |
61 |
>the minimum length to 11 characters of any sort, set either no |
62 |
>password expiry or a very long one, and include password management |
63 |
>in the basic security training I gave users. In that training, I'd |
64 |
>explain passphrases and that users shouldn't write them down. |
65 |
>I'd discuss how to avoid phishing and spyware, and what to do with |
66 |
>emailed attachments. Any one of these could be an attacker's |
67 |
>entry point. |
68 |
> |
69 |
>-Mark |
70 |
> |
71 |
> |
72 |
> |
73 |
I recommend the same as mark there, except let them write em down, but |
74 |
be strict on how they can do so, |
75 |
tell them to keep them via a saft location, and handel them like they |
76 |
would with a credit card. If you're looking |
77 |
for some good pointers on passwords, check out twit.tv and listen to |
78 |
Security Now, one of the shows they talk about |
79 |
creating passwords which they sounded pretty resonable on the topic. |
80 |
|
81 |
-Nate |