On Feb 17, 2015, at 10:15 PM, Richard Pieri <[email protected]> wrote: > > So. Someone replied directly to me instead of the list suggesting that > character length is an important factor in password security. > > Letter count is a pointless factor in password security. "Four score and > seven years ago" is 30 characters and still trivially vulnerable to > dictionary attacks. "We hold these truths to be self-evident" is 40 > characters and it is just as weak as the first example. > > Password reform starts with abandoning password rules and policies. Rules and > policies are bad. Every policy that you enforce makes it easier for attackers > to analyze passwords. If you have a policy that enforces a 15 character > minimum then an attacker knows to ignore everything that is 14 or fewer > characters, and given human nature he can ignore everything over about 20 > characters for most passwords. If you have a policy that enforces the use of > at least one number then an attacker has 9 known possible plaintexts in every > password. At least one capital letter is 26 known possible plaintexts. And so > forth. > > LastPass was suggested as an enterprise solution. By Ghu, where do I start > with this. Relying on a third party that has no obligation to maintain the > integrity of your keys? Relying on a third party that has crafted its terms > of service such that you have no recourse if they screw up or an attacker > compromises their system and exposes your entire business to the world? And > this is being floated as an enterprise solution? 'Nuff said.
Well said! - Eric C _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
