On 01/31/2017 07:54 AM, Kent Borg wrote:
On 01/30/2017 08:46 PM, Dan Ritter wrote:
First off, you should be using ssh keys and not passwords.
No, you should be using passwords not keys. (In most cases.)
Protect your password, don't give it to anyone, don't recycle it on
different sites. A good password can be easy to remember and easy to
type. As bad as manually typed passwords are the sparkly alternatives
are almost always worse.
I agree with Kent, although I do believe you should rotate your password
at some reasonable interval. We do enforce password rotation and a mix
of alphanumeric/symbols at my company. Password length needs to be
paramount also. I've practiced and recommended using actual sentences as
opposed to passwords
(http://blog.napc.com/password-performance-that-isn-t-a-compromise). If
your systems are limiting you to 8 characters then you really need to
update those systems because passwords probably aren't the only part of
those that are insecure. Most modern systems will support at least 32
character passwords so having any password less than 10 characters is
something I would strongly recommend against. Typing "B@con is g00d." is
really no more difficult than typing "Meg@s0nic" and extends the
likelihood of compromise from months to centuries. Mind you, a good
password is only one small part of a solution (sudo, named-accounts,
audit logs, lockout timers, etc.), but it's definitely your first-line
of defense.
Grant M.
--
Grant Mongardi
Senior Systems Engineer
NAPC
[email protected]
http://www.napc.com/
twitter: @Grantonator
LinkedIn: http://www.linkedin.com/pub/grant-mongardi/19/34/182/
781.894.3114 phone
781.894.3997 fax
NAPC | technology matters
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
