On 01/31/2017 08:48 AM, Kent Borg wrote:
On 01/31/2017 08:23 AM, Grant NAPC wrote:
I agree with Kent, although I do believe you should rotate your
password at some reasonable interval. We do enforce password rotation
and a mix of alphanumeric/symbols at my company.
Here is an idea: Don't let users set their own passwords. That way you
can be sure you aren't being fed that user's Ashley Madison or Yahoo
password. This won't prevent password reuse in the other direction,
unfortunately.
"15-ladder-bamboo-sierra" is an easy password to remember and type, yet
it has 40-bits of entropy. Even if some bizarrely configured sshd
allowed 1000-attempts per second (which they don't) it would still take
over 18-years to try half the combinations.
02-alex-smile-metro, 5b-mile-sleep-school, ea-mercy-copy-pizza...
I think it's better to train them how to create those passwords on their
own and then require them to change them so that should they reuse them
elsewhere then they are only a concern for 90 days or whatever. Creating
a non-rotating password that they then use on Yahoo!, Instagram, etc,
because they can remember it and "you told me it was secure!" doesn't
make me feel all that comfortable. The fact remains if they then click a
link in some phishing email and type that password into
fake-Facebook.com then that password you told them was secure is
everything but that. It may be that we're talking about 2 different
classes of people here but I believe the risk is similar.
Grant M.
--
Grant Mongardi
Senior Systems Engineer
NAPC
[email protected]
http://www.napc.com/
twitter: @Grantonator
LinkedIn: http://www.linkedin.com/pub/grant-mongardi/19/34/182/
781.894.3114 phone
781.894.3997 fax
NAPC | technology matters
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
