I'm going to seriously propose, at my place of work, a new password standard for stanard users:
16 or more characters, the usual password complexity, changed once a year. I think it's a good tradeoff. On 12/24/07, kenw <[EMAIL PROTECTED]> wrote: > In general, I think the idea of progressive back-off is a good one, and > probably simple to implement. > > Long, hard-to-remember, frequently-changed passwords are a bad idea. > They get written down in all sorts of places. I've yet to hear a good > argument for frequent password changes in most environments, for > ordinary users. If other aspects of password security are well managed, > it accomplishes little, and in practice, most people cheat. > > Think testing. Software usability testing seems to be done rarely in > the Microsoft world. It does no good to say "people should" this or > that. Live in the real world, write software that actually, testably > delivers the results you want it to. > > For example, consider software that actually _helps_ people create > passwords that are both hard to guess and relatively easy to remember. > No, it's not a silly idea, it exists, but it's not from Microsoft. > > /kenw > > > -----Original Message----- > > From: Ben Scott [mailto:[EMAIL PROTECTED] > > Sent: December-24-07 1:10 AM > > To: NT System Admin Issues > > Subject: Re: Audit recommendation > > > > On Dec 23, 2007 11:00 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > > >> Brute force attacks can be effective against even long passwords, > > > > > > Really? How long do you think it woudl take you to brute force a 15 > > character, complex, password, over FTP? > > > > It all depends on how you define "long" and "complex". And I missed > > the part where this was over FTP. But yes, if you have a 20 character > > password consisting of an evenly-distributed random selection all > > possible characters one can type on a keyboard, and you're connected > > via remote Internet link, it will be very hard to brute force in > > reasonable time. Or even unreasonable time. But if you're on the LAN > > and the password is "jsmith02051982" or some other similar password > > that's very likely to be in actual use in the real world, then not so > > much. > > > > Yes, one can -- and, indeed, should -- decry weak passwords as a big > > practical security problem. That doesn't mean the situation isn't > > realistic. It also doesn't mean countermeasures against > > brute/dictionary attacks should be abandoned. > > > > > Total effort is more than writing a few lines of code (someone has > to > > do the documentation, it needs to work other APIs, > > > ISVs would need to be notified, SDKs/documentation would need to be > > updated, regression tests and threat models > > > written and tested etc) > > > > I think you're being needlessly difficult here, so I'll respond in > > kind: Lack of documentation has never stopped Microsoft before. > > Working with other APIs is a no-op; this is a delay in the password > > validation routine, not something that communicates with other code. > > ISVs can presumably be notified via all the usual press > > release/newsletter. SDK is a no-op (ibid). Documentation you already > > mentioned. Threat models? All you need is something that repeatedly > > tries the same (incorrect) password. I can do that in a batch file. > > > > Regression testing is the one significant and legitimate objection > > in your list. Code/behavior changes can have surprising > > repercussions, and for something as commonly needed as password > > validation, there are a lot of places it could hit. Touche. > > > > But I maintain, compared to all the resources Microsoft puts into > > much less productive ends, this would be a justifiable and reasonable > > persuit. But I suppose Microsoft has better things to do, like > > writing the next version of Active Windows Desktop Search Live > > Ultimate Edition .NET Professional. Hurmph. > > > > -- Ben > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
