*>>To enable the user who has access to the multi-million dollar stock account to use a failword, the infrastructure would need to be there for the little guy like me.*
Not necessarily, no, as evidenced by the fact that it is clearly implemented in some places, but not others. * * *ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of Technology for the SMB market… * On Thu, Aug 18, 2011 at 3:23 PM, Hilderbrand, Doug < [email protected]> wrote: > I'd say pretty much everything is becoming a computing environment. I guess > I'm saying that whether implemented or not maybe failwords need to be built > in from the ground up. > > To enable the user who has access to the multi-million dollar stock account > to use a failword, the infrastructure would need to be there for the little > guy like me. > > At the local hardware/ big box store 5 tries and you're out is fine. Maybe > not at the bank. > > Are we so fixated on low hanging fruit that we can't set our sights any > higher? > > I've never found that "we've always done it that way" was a good reason for > anything. By itself. I do realize that inertia is a force of nature. > > > Doug Hilderbrand | Systems Analyst, Information Technology | Crane > Aerospace & Electronics > Work: 425-743-8172 | Mobile: 425-835-DOUG(3684) > > > -----Original Message----- > From: Harry Singh [mailto:[email protected]] > Sent: Thursday, August 18, 2011 11:52 AM > To: NT System Admin Issues > Subject: Re: Why not failwords? > > I could be missing your objective here, but could you explain how would > this work in a computing environment? You use the *h@rd3r* password on > relatively sensitive websites ( banks, corporate login , email etc) and use > your failword for everything else? Would you expect, as an example, an AD > database to store two sets of passwords? > And if brute force occurs the weaker password (failword) is obtained and > subsequently used triggering a security event? > > I could be missing the efficacy of using a failword in a computing > environment entirely. > > Cheers, > > Harry > > On Thursday, August 18, 2011, William Robbins <[email protected]> > wrote: > > That's always the balance security has to walk between what's safe and > what's usable. But as Ben said, the more usable you make it and allowing > for PEBKAC errors, the easier it is for it to be compromised. > > > > I do the CAPS lock thing on occasion, or what ever too...but after that > first notification I pay attention to everything to be certain I don't lock > my account. 3 - 5 attempt should be more than adequate I think. > > - WJR > > > > > > On Thu, Aug 18, 2011 at 13:24, Hilderbrand, Doug < > [email protected]> wrote: > > > > Let's just drop the SG thing. I didn't mean to start a flame war. > > > > I don't like lockout attempt settings too low. On more occasions than > > I'd like to admit, I have used up multiple attempts because of a > > caps-lock issue or because I'm trying to get a valid password *from a > > different site* to work or something else silly. I think we're all > > id10ts at one time or another. > > > > > > Doug Hilderbrand | Systems Analyst, Information Technology | Crane > > Aerospace & Electronics > > > > -----Original Message----- > > From: Ben Scott [mailto:[email protected]] > > Sent: Thursday, August 18, 2011 11:10 AM > > To: NT System Admin Issues > > Subject: Re: Why not failwords? > > > > On Thu, Aug 18, 2011 at 1:25 PM, Hilderbrand, Doug > > <[email protected]> wrote: > >> Why hasn't anyone implemented fail words? > > > > These are called "duress codes" and are commonly assigned for things > > like security alarms, locks (like your bank vault), etc. The key > > aspect of a duress code is that *it appears to succeed like the normal > > code would*. It notifies responders without alerting the point-of-use. > > They're intended to protect the person under duress. > > If the duress code refused entry (or acted like bad password, etc.), > > the attacker could harm the person under duress. If all the person > > under duress cares about is protecting the asset, they just refuse to > > enter any code and take the knife to the guts. > > > > Looking for common words as a trap against untargeted attacks is > > adds nothing; you should already be implementing lockout after a few > > failed attempts. > > > > Stop listening to GRC. While he's not a complete idiot, he's often > > misinformed, and Can't! Talk! About! Anything! Like! It's! Not! > > The! Most! Amazing! Thing! Ever!, even if what he's just > > "discovered" or "invented" has been well-known for decades. > > > > -- Ben > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
