The following message is a courtesy copy of an article that has been posted to bit.listserv.ibm-main,alt.folklore.computers as well.
[email protected] (zMan) writes: > OK, this is topic drift, but: are you saying that having stringent password > requirements is a failure? Because I sure think it is -- it just encourages > folks to use patterns or otherwise weak passwords and/or to write them down > anyway. > > I use a site that requires 8-byte passwords, changed every n days, with no > more than 3 characters from the previous password in a row and at least one > digit,, which can't be leading or trailing". Surprise, we use ABCnnDEF, > where the nn is what changes. Fortunately this isn't an important site, so > I'm not worried about someone getting at it, but it's an example where the > stupid restrictions fail. re: http://www.garlic.com/~lynn/2010l.html#4 Did a mainframe glitch trigger DBS Bank outage? recent mention of old password rules (had been sent to me by somebody in POK): http://www.garlic.com/~lynn/2010k.html#49 GML reproduced in these old posts: http://www.garlic.com/~lynn/2001d.html#52 A beautiful morning in AFM http://www.garlic.com/~lynn/2001d.html#53 April Fools Day from 3-factor authentication paradigm ... lots of past posts: http://www.garlic.com/~lynn/subintegrity.html#3factor * something you have * something you know * something you are 40yrs ago ... with a few something-you-know "shared secrets" ... things weren't too bad ... but roll forward forty years ... and the paradigm effectively collapses with potentially having to memorize hundreds of different (hard to memorize/guess) pins/passwords ... misc. past posts regarding something-you-know "shared secret" authentication http://www.garlic.com/~lynn/subintegrity.html#secrets from kindergarten security 101, each unique security domain requires a unique (something-you-know) "shared scret" as a countermeasure to cross-domain attacks (aka local garage ISP operation being able to attack critical commercial business). static PIN/passwords are also vulnerable to various kinds evesdropping vulnerabilities ... and the value can then be used in "reply attacks" ... contributing to the requirements for frequent changes. frequent changes are also countermeasure to brute force & guessing attacks (especially "weak" passwords). in any case, proliferation in shared-secret (something you know) authentication overwhelms human capacity to deal with the every increasing numbers (and the different unique security domains still acting as if they are the only one in the whole world that has a pin/password required to be memorized). disclaimer ... bunch of patents in the area (assigned and which we have no rights/interests): http://www.garlic.com/~lynn/aadssummary.htm -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
