You're confusing security with compliance ;P Hopefully even auditors will eventually move away from checklists .. it's starting to dawn on the US government at least with their continuous monitoring push. a
________________________________ From: Webster [mailto:[email protected]] Sent: 10 August 2011 23:11 To: NT System Admin Issues Subject: RE: Almost, but not quite OT: Passwords Because the security team and or auditor are simply following a check list. Complex passwords required - check. My job is done. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com <http://www.carlwebster.com/> From: Steve Kradel [mailto:[email protected]] Sent: Wednesday, August 10, 2011 5:06 PM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords It looks like Randall @ xkcd supposes each word in "correct horse battery staple" has 11 bits of entropy, which is to say, the person choosing the password has a comfortable vocabulary of 2^11 (2,048) words from which he will pick four at random. (2048^4 is the same as 2^44.) I think 2,048 words is a pretty low estimate, at least in English, but that's not really the point... On the other hand, he suggests forcing people to choose "strong" passwords presses humans into a doofy pattern that is actually much *less* random than four dictionary words. 16 bits of uncertainty for the "uncommon base word" means the user has possibly picked a "difficult" dictionary word (from a vocabulary of 2^16 = 65,536 words -- generously more than a normal person knows), and then mangles it up a little bit in semi-predictable ways to satisfy the password strength checker. It definitely raises an interesting question... why do so many organizations elect for minimum 8-character complex passwords, instead of "non-complex" passphrases of at least 16 or 20 characters, when the latter would be easier to remember and probably stronger? --Steve On Wed, Aug 10, 2011 at 5:33 PM, Crawford, Scott <[email protected]> wrote: Interesting. I'd like to understand how the bits of entropy are calculated though. From: Andrew S. Baker [mailto:[email protected]] Sent: Wednesday, August 10, 2011 4:06 PM To: NT System Admin Issues Subject: Almost, but not quite OT: Passwords http://xkcd.com/936/# <http://xkcd.com/936/> Yet, very pertinent. ASB http://about.me/Andrew.S.Baker Harnessing the Advantages of Technology for the SMB market... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
