begin quoting John H. Robinson, IV as of Thu, Nov 29, 2007 at 01:56:50PM -0800: > Michael O'Keefe wrote: > > > > I'm not paid to [follow BugTraq et al] , you are. > > Don't pass the buck onto me by forcing me to change my passwd every 2 > > weeks, and not reuse any of the last 26 ! > > I would not implement that draconian a policy. If it were mine, it would > probably be on the order of three months to a year, and not repeat the > past three or four passwords.
This is because you're not defending against a stolen /etc/shadow file, but an accidental revalation of a password? Or do you have users who log in from kinkos and internet cafes? > I do understand what you are saying. You are passing off to me the > requirement that the system must be secure (which I accept) but at the > same time it must not impinge your work in any way. That is where I draw > the line. There is a tradeoff between security and usability. Um..... I really hate describing the tradeoff in those terms. Remember, one of the goals of security is accessibility. If my security policies result in my being unable to access my resources, that's as good as a denial of service attack. If, by attacking your system, I can get you to crank the security screws down to the point where your users can't use your systems, then I've as good as done a DoS attack. > To use the car analogy, you want to drive your car down the road, the > sidewalk, through the parks and at any speed you want. No. There are > laws. Yah, but fitting an explosive charge to the engine to blow up the car if I fail to signal before a right-hand-turn doesn't aid me in getting done what I need to do. :) > I would, given my own druthers, try to reach a consensus as to where the > security/usability line is drawn. Yup. Find the tradeoff. What threats concern you? What threats don't? What sort of users do you have? Do you allow authorized_keys? Do you /require/ authorized_keys? > > Are you saying that a cracker is sitting out there with my userid/passwd > > waiting for a new vulnerability so they can get into my system, becoz > > all their other attempts have been foiled ? > > I'm saying that I don't know, I cannot control it, so I must guard > against it. One of my tools is password expiration. I will use that > tool, along with others, as appropriate. The problem with password expiration is that it causes more problems than it solves. IMNSHO, of course. -- Rainbow dictionary attacks are neat! Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
