Mark Rudholm wrote:
On Tue, 2006-01-17 at 20:31 +0100, Paweł Madej wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Rudholm wrote:
Benjamin Smee (strerror) wrote:
I feel compelled to point out that 8-character passwords,
no matter their composition, aren't really that strong
anymore. Also, forcing users to use special characters
and change passwords frequently only guarantees that they
will write them down, often not in secure places.
You might consider having users use longer passwords
(a passphrase). They're easier for a user to remember,
so they're less likely to write them down. They're also
far more resistant to brute force attacks and guessing.
Also consider that if you require two capital letters,
2 numbers, and 2 special characters, you've just reduced
the number of possible 8-character passwords quite
significantly.
In some case yes, but you have to take into acount that [a-zA-Z0-9] and
special signs that is very big volume of possible combinations. In this
case I think that it is much more secure than 12 [a-zA-Z] password which
could be named passphrase.
It's usually very easy for a user to remember something
like 'My child flies kites.' but if you make them use
things like '^3!kX$1a' and force changes every couple
of months, they *will* write it on a post-it note and
stick it in their desk drawer or on their display.
As random as that example password I used was, it doesn't
meet your critieria for a 'strong password' (it doesn't have
two capital letters).
In this case I have to say that it is 100% right because users are very
lazy, they don't want to think. Social effect is the biggest hole in
every security.
So I what you propose Mark? Setting only minimum lenght to 12 ? 15 signs
and leave users to choose which signs they want to use to make their
passphrase?
Well, if I were designing a password policy, I'd probably set
the minimum length to 11 characters of any sort, set either no
password expiry or a very long one, and include password management
in the basic security training I gave users. In that training, I'd
explain passphrases and that users shouldn't write them down.
I'd discuss how to avoid phishing and spyware, and what to do with
emailed attachments. Any one of these could be an attacker's
entry point.
-Mark
I recommend the same as mark there, except let them write em down, but
be strict on how they can do so,
tell them to keep them via a saft location, and handel them like they
would with a credit card. If you're looking
for some good pointers on passwords, check out twit.tv and listen to
Security Now, one of the shows they talk about
creating passwords which they sounded pretty resonable on the topic.
-Nate
|
