On Sat, Dec 31, 2011 at 10:24 PM, Randall Webmail <[email protected]> wrote: > From: Kevin W. Wall <[email protected]> > >>Boy, the latter sounds like advice that a black hat hacker would give someone >>to > ensure simple dictionary attacks are successful. Your dog's name? Really??? > > Beats the usual method of writing it on a Post-It note where the janitorial > staff can see.
Nothing wrong with writing your password on a Post-It note. The problem is *where* you keep that Post-It note. Put it in your wallet or purse or store it in your locked desk drawer and the janitor isn't going to casually see it. > The current state of "security" in corporate America is somewhere between > parlous and laughable. > > I've been in a Fortune 100 CEO's office -- his login/pw were indeed on a > Post-It, stuck to his monitor. That's true, but IMO, that's because most of corporate security is driven as CYA policies rather than ones with any particular rationale threat model in mind. So instead of engaging real risks, we waste our time fighting windmills. > The most common password is "Password". See, that would never fly at our company. They'd have to make it "Passw0rd" or "Password1" because our AD policy requires one uppercase, one lower case, and one numeric. :-P > I know of at least one global company whose database password was "Oracle". More common for our DBAs is the username written out backwards. (There excuse: "We tell the developers and/or operations teams to change it". But very few seldom do.) > For a time in the 1980s, the BUPERS password on at least one dialup node was > "Letmein". > > If you're wanting thousands of users to change their passwords once a month > and you're NOT going to allow them to use Post-Its, you'd better plan to hire > hundreds of kids for "Tech Support". As Prof Bellovin so aptly remarked, a better approach would be to train people to use a password wallet / vault. E.g., Password Safe or KeePass, etc. Then keep the file on a flash drive that you carry with you or if you are more trusting, keep it in the cloud somewhere. Then you only have a small handful of passwords to worry about. Train the uses how to create intelligent strong passwords (which we seldom do) and they won't have to write them down. But teach them that it's OK to write them down and put in a secure place where only they have access to them. (E.g., treat them like you treat your money!) It's really not that hard. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
