| 1 |
On Wed, Aug 11, 2010 at 4:09 PM, Alan McKinnon <alan.mckinnon@×××××.com>wrote: |
| 2 |
|
| 3 |
> On Thursday 12 August 2010 00:11:12 Bill Longman wrote: |
| 4 |
> > On 08/11/2010 01:30 PM, Alan McKinnon wrote: |
| 5 |
> > > I refuse to implement password expiration policies and have a vast |
| 6 |
> array |
| 7 |
> > > of literature to back me up when some dimwit damager gets on his |
| 8 |
> > > expiration high horse. |
| 9 |
> > > |
| 10 |
> > > My users pick their own passwords - I present a list of 5 from apg and |
| 11 |
> > > let them pick one. Accounts do expire if they go unused for 90 days, |
| 12 |
> but |
| 13 |
> > > not passwords. |
| 14 |
> > > |
| 15 |
> > > What put me onto this policy? I found Gartner recommending password |
| 16 |
> > > expiration. I find the best security possible is always the opposite of |
| 17 |
> > > what Gartner says. Discovering how the AD admins in the company go |
| 18 |
> about |
| 19 |
> > > their jobs was the convincing straw :-) |
| 20 |
> > |
| 21 |
> > The bigger buggerboo I see is the "password complexity" [il]logic. |
| 22 |
> > There's this vapid requirement of all these different types of |
| 23 |
> > characters needed in one's password, yet the thing you really want to |
| 24 |
> > enforce is adequate entropy. If my password is an entire sentence, it |
| 25 |
> > will not be brute-forced, even if I used just ASCII A-z. There's just |
| 26 |
> > too much key space in 4.7^32. At 10^5 attempts per second, you're likely |
| 27 |
> > to find the answer in half a billion years. I hope your keyboard still |
| 28 |
> > works, let alone exists.... |
| 29 |
> |
| 30 |
> Your reasoning makes sense, until you consider password length limits |
| 31 |
> imposed |
| 32 |
> by machines. |
| 33 |
> |
| 34 |
> Cisco routers authenticating via Tacacs for instance often support nothing |
| 35 |
> more than DES hashing <yuck>. The hash routines accept up to 10 characters |
| 36 |
> for |
| 37 |
> a password but only use the first 8 to calculate the hash. |
| 38 |
> |
| 39 |
> There are Solaris version nowhere near EOL yet that have similar limits. |
| 40 |
> |
| 41 |
> All this makes my life as a system integrator cum authenticate go-to guy |
| 42 |
> very |
| 43 |
> tricky indeed. Luckily management tends to say "Just do what Alan says. It |
| 44 |
> makes him shut up and go away". |
| 45 |
> |
| 46 |
> :-) |
| 47 |
> |
| 48 |
> p.s. dig the use of "vapid". Wonderful word, truly splendid. Communicates |
| 49 |
> in 5 |
| 50 |
> letters something that takes paragraphs any other way. I shall make a note |
| 51 |
> for |
| 52 |
> future use. |
| 53 |
> |
| 54 |
> -- |
| 55 |
> alan dot mckinnon at gmail dot com |
| 56 |
> |
| 57 |
> Absolutely. If you do not change your ENCRYPT_METHOD or your PASS_MAX_LEN |
| 58 |
in your login.defs file and are still relying on the back end's ability to |
| 59 |
safely store your passwords in DES format, well, you're in trouble. |
Archives