1 |
On Wed, Aug 11, 2010 at 4:09 PM, Alan McKinnon <alan.mckinnon@×××××.com>wrote: |
2 |
|
3 |
> On Thursday 12 August 2010 00:11:12 Bill Longman wrote: |
4 |
> > On 08/11/2010 01:30 PM, Alan McKinnon wrote: |
5 |
> > > I refuse to implement password expiration policies and have a vast |
6 |
> array |
7 |
> > > of literature to back me up when some dimwit damager gets on his |
8 |
> > > expiration high horse. |
9 |
> > > |
10 |
> > > My users pick their own passwords - I present a list of 5 from apg and |
11 |
> > > let them pick one. Accounts do expire if they go unused for 90 days, |
12 |
> but |
13 |
> > > not passwords. |
14 |
> > > |
15 |
> > > What put me onto this policy? I found Gartner recommending password |
16 |
> > > expiration. I find the best security possible is always the opposite of |
17 |
> > > what Gartner says. Discovering how the AD admins in the company go |
18 |
> about |
19 |
> > > their jobs was the convincing straw :-) |
20 |
> > |
21 |
> > The bigger buggerboo I see is the "password complexity" [il]logic. |
22 |
> > There's this vapid requirement of all these different types of |
23 |
> > characters needed in one's password, yet the thing you really want to |
24 |
> > enforce is adequate entropy. If my password is an entire sentence, it |
25 |
> > will not be brute-forced, even if I used just ASCII A-z. There's just |
26 |
> > too much key space in 4.7^32. At 10^5 attempts per second, you're likely |
27 |
> > to find the answer in half a billion years. I hope your keyboard still |
28 |
> > works, let alone exists.... |
29 |
> |
30 |
> Your reasoning makes sense, until you consider password length limits |
31 |
> imposed |
32 |
> by machines. |
33 |
> |
34 |
> Cisco routers authenticating via Tacacs for instance often support nothing |
35 |
> more than DES hashing <yuck>. The hash routines accept up to 10 characters |
36 |
> for |
37 |
> a password but only use the first 8 to calculate the hash. |
38 |
> |
39 |
> There are Solaris version nowhere near EOL yet that have similar limits. |
40 |
> |
41 |
> All this makes my life as a system integrator cum authenticate go-to guy |
42 |
> very |
43 |
> tricky indeed. Luckily management tends to say "Just do what Alan says. It |
44 |
> makes him shut up and go away". |
45 |
> |
46 |
> :-) |
47 |
> |
48 |
> p.s. dig the use of "vapid". Wonderful word, truly splendid. Communicates |
49 |
> in 5 |
50 |
> letters something that takes paragraphs any other way. I shall make a note |
51 |
> for |
52 |
> future use. |
53 |
> |
54 |
> -- |
55 |
> alan dot mckinnon at gmail dot com |
56 |
> |
57 |
> Absolutely. If you do not change your ENCRYPT_METHOD or your PASS_MAX_LEN |
58 |
in your login.defs file and are still relying on the back end's ability to |
59 |
safely store your passwords in DES format, well, you're in trouble. |