Nope. I should have more accurately said passphrase instead of password,.
And, I have no problems with people writing writing down passwords, as long as they keep them on their persons, as in a wallet or purse. On 12/25/07, Martin Blackstone <[EMAIL PROTECTED]> wrote: > With all you can use Post-It notes for the duration of said password. > > -----Original Message----- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 25, 2007 12:15 PM > To: NT System Admin Issues > Subject: Re: Audit recommendation > > I'm going to seriously propose, at my place of work, a new password > standard for stanard users: > > 16 or more characters, the usual password complexity, changed once a year. > > I think it's a good tradeoff. > > On 12/24/07, kenw <[EMAIL PROTECTED]> wrote: > > In general, I think the idea of progressive back-off is a good one, and > > probably simple to implement. > > > > Long, hard-to-remember, frequently-changed passwords are a bad idea. > > They get written down in all sorts of places. I've yet to hear a good > > argument for frequent password changes in most environments, for > > ordinary users. If other aspects of password security are well managed, > > it accomplishes little, and in practice, most people cheat. > > > > Think testing. Software usability testing seems to be done rarely in > > the Microsoft world. It does no good to say "people should" this or > > that. Live in the real world, write software that actually, testably > > delivers the results you want it to. > > > > For example, consider software that actually _helps_ people create > > passwords that are both hard to guess and relatively easy to remember. > > No, it's not a silly idea, it exists, but it's not from Microsoft. > > > > /kenw > > > > > -----Original Message----- > > > From: Ben Scott [mailto:[EMAIL PROTECTED] > > > Sent: December-24-07 1:10 AM > > > To: NT System Admin Issues > > > Subject: Re: Audit recommendation > > > > > > On Dec 23, 2007 11:00 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > > > >> Brute force attacks can be effective against even long passwords, > > > > > > > > Really? How long do you think it woudl take you to brute force a 15 > > > character, complex, password, over FTP? > > > > > > It all depends on how you define "long" and "complex". And I missed > > > the part where this was over FTP. But yes, if you have a 20 character > > > password consisting of an evenly-distributed random selection all > > > possible characters one can type on a keyboard, and you're connected > > > via remote Internet link, it will be very hard to brute force in > > > reasonable time. Or even unreasonable time. But if you're on the LAN > > > and the password is "jsmith02051982" or some other similar password > > > that's very likely to be in actual use in the real world, then not so > > > much. > > > > > > Yes, one can -- and, indeed, should -- decry weak passwords as a big > > > practical security problem. That doesn't mean the situation isn't > > > realistic. It also doesn't mean countermeasures against > > > brute/dictionary attacks should be abandoned. > > > > > > > Total effort is more than writing a few lines of code (someone has > > to > > > do the documentation, it needs to work other APIs, > > > > ISVs would need to be notified, SDKs/documentation would need to be > > > updated, regression tests and threat models > > > > written and tested etc) > > > > > > I think you're being needlessly difficult here, so I'll respond in > > > kind: Lack of documentation has never stopped Microsoft before. > > > Working with other APIs is a no-op; this is a delay in the password > > > validation routine, not something that communicates with other code. > > > ISVs can presumably be notified via all the usual press > > > release/newsletter. SDK is a no-op (ibid). Documentation you already > > > mentioned. Threat models? All you need is something that repeatedly > > > tries the same (incorrect) password. I can do that in a batch file. > > > > > > Regression testing is the one significant and legitimate objection > > > in your list. Code/behavior changes can have surprising > > > repercussions, and for something as commonly needed as password > > > validation, there are a lot of places it could hit. Touche. > > > > > > But I maintain, compared to all the resources Microsoft puts into > > > much less productive ends, this would be a justifiable and reasonable > > > persuit. But I suppose Microsoft has better things to do, like > > > writing the next version of Active Windows Desktop Search Live > > > Ultimate Edition .NET Professional. Hurmph. > > > > > > -- Ben > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
