Given your almost complete lack of context with your link, it’s hard to tell _WHAT_ you were suggesting… other than disagreeing with Doug’s assessment, which was speaking to…. (ta-da!).. passwords on sticky notes.
-sc From: Kurt Buff [mailto:[email protected]] Sent: Friday, March 16, 2012 12:13 AM To: NT System Admin Issues Subject: Re: Worth some consideration... Don't be obtuse. I made no recommendation with my statement. If you're looking for options, I recommend fully formed but easy to type sentences of at least 20 characters. If they must be written down, advise your clients to keep them in their wallets. Kurt On Thu, Mar 15, 2012 at 16:51, Mack Bolan <[email protected]> wrote: So that makes sticky notes ok? Mack S. Bolan On Thu, Mar 15, 2012 at 5:43 PM, Kurt Buff <[email protected]> wrote: Perhaps you might want to rethink your threat model: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232601717/new-verizon-breach-data-shows-outside-threat-dominated-2011.html On Thu, Mar 15, 2012 at 13:50, Doug Hampshire <[email protected]> wrote: Are you sure about that? The vast majority of security incidents happen on the inside of your network from known individuals. Also it was addressing offline brute force attacks. Most online systems have lockout policies and other countermeasures to limit exposure to brute force attacks. On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott <[email protected]> wrote: I'd rather have "good" passwords written down on a sticky note accessible only to a limited number of coworkers than "bad" passwords that can be exploited by any black-hat on the internet. Sent from my Windows Phone ________________________________ From: Heaton, Joseph@DFG Sent: 3/15/2012 11:07 AM To: NT System Admin Issues Subject: RE: Worth some consideration... Wait… I’m NOT supposed to write my password on a sticky note? How am I supposed to let my coworker use my login, then? Joe Heaton ITB – Windows Server Support From: Andrew S. Baker [mailto:[email protected]] Sent: Thursday, March 15, 2012 7:49 AM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: Re: Worth some consideration... That's an implementation problem. If I choose a passphrase of "Mary had a little lamb" then of course that will be relatively weak as passphrases go. That that is not an inherent weakness of passphrases, but of people. Lots of things are undermined by poor choices. Completely random 20 character passwords with a unicode character set are undermined by having them posted on sticky notes. We didn't need a whole article to point that out. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <[email protected]> wrote: http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars By Dan Goodin Ars Technica March 14, 2012 Passwords that contain multiple words aren't as resistant as some researchers expected to certain types of cracking attacks, mainly because users frequently pick phrases that occur regularly in everyday speech, a recently published paper concludes. Security managers have long regarded passphrases as an easy-to-remember way to pack dozens of characters into the string that must be entered to access online accounts or to unlock private encryption keys. The more characters, the thinking goes, the harder it is for attackers to guess or otherwise crack the code, since there are orders of magnitude more possible combinations. But a pair of computer scientists from Cambridge University has found that a significant percentage of passphrases used in a real-world scenario were easy to guess. Using a dictionary containing 20,656 phrases of movie titles, sports team names, and other proper nouns, they were able to find about 8,000 passphrases chosen by users of Amazon's now-defunct PayPhrase system. That's an estimated 1.13 percent of the available accounts. The promise of passphrases' increased entropy, it seems, was undone by many users' tendency to pick phrases that are staples of the everyday lexicon. "Our results suggest that users aren't able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language," researchers Joseph Bonneau and Ekaterina Shutova wrote in the paper (PDF), which is titled "Linguistic properties of multi-word passphrases." "Examining the surprisingly weak distribution of phrases in natural language, we can conclude that even 4-word phrases probably provide less than 30 bits of security which is insufficient against offline attack," the paper says. [...] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
