Each approach has drawbacks and each has strengths. A strong password only mitigates one kind of attack, and in 2010, it's not even the most prevelant way of breaching a system.
Frequent password changes don't necessarily make things safer. Certainly not today when it takes only a few hours or days to steal whatever the necessarily data is for identity theft or to negatively impact customers (in the case of a business). How many of you change the PIN on your bank cards regularly? The most aggressive password changing frequency that I've seen in practice has been 30 days. This still leaves a great deal of time to steal critical data before the password has to be changed, and in most cases, the goal is to break into a system and establish backdoors that obviate the need for other people's passwords. Passphrases are good, but can be tedious, if used on systems that must be logged onto frequently. And, unfortunately, many systems only support password lengths of less than 20 characters. I'm particularly annoyed by passwords systems on the web that only allow alphanumeric characters. I think that most users will have an easier time maintaining basic password practices if we don't force them to keep 100 passwords in memory, some of which must be rotated regularly. And we should promote password management tools, so long as they are properly protected. Personally, I have classes of passwords depending on the criticality of the resource being protected. For wimpy internet sites storing no real data, I use a particular password variation for all of this class of sites. As I move to sites that have more critical or personal data, the uniqueness and complexity factor goes up, and the sharing factor goes down. And I still keep this in a password management app, encrypted by TrueCrypt. If the right kinds of tradeoffs are not made, then the security will be circumvented altogether (e.g. stickypad), or there will be huge productively losses (e.g. frequent password reset requests). -ASB: http://xeesm.com/AndrewBaker On Fri, Apr 16, 2010 at 12:55 AM, Kurt Buff <[email protected]> wrote: > See the thread here: > > http://www.securityfocus.com/archive/105/510384/30/0/threaded > > In particular, the comments by Ansgar Wiechers. > > There seems to be some room for debate on this subject. > > On Thu, Apr 15, 2010 at 15:40, Crawford, Scott <[email protected]> > wrote: > > Jesper Johansson talks about the difficulty in cracking pass phrases in > part > > 2 of 3 of this series > > > > > > > > The Great Debates: Pass Phrases vs. Passwords. > > > > http://technet.microsoft.com/en-us/library/cc512613.aspx > > > > > > > > > > > > From: David Lum [mailto:[email protected]] > > Sent: Thursday, April 15, 2010 4:49 PM > > To: NT System Admin Issues > > Subject: RE: please don't change your password! > > > > > > > > Fortunately I have more than 60 days for each password (errr, passphrase > > Sherry!). What gets screwy is when I hop from network to network since I > > don’t use the same ones everywhere. My first long passwords were “This > > password is hard to guess” then changed to “This password is harder to > > guess”, “This password is even harder to guess”, LOL. > > > > > > > > I heard somewhere that dictionary attacks can figure out phrases, anyone > > able to shed any light on that? I do substitute letters with > numbers/symbols > > on occasion but not everywhere. > > > > David Lum // SYSTEMS ENGINEER > > NORTHWEST EVALUATION ASSOCIATION > > (Desk) 971.222.1025 > > // (Cell) 503.267.9764 > > > > > > > > From: Brian Clark [mailto:[email protected]] > > Sent: Thursday, April 15, 2010 2:09 PM > > To: NT System Admin Issues > > Subject: Re: please don't change your password! > > > > > > > > Funny ones at that! Question is how often do you have to re enter them, > as > > your tying is so good! ;) > > > > > > > > On 15 April 2010 22:03, Sherry Abercrombie <[email protected]> wrote: > > > > Actually, those are considered pass-phrases I do believe. ;) > > > > > > > > On Thu, Apr 15, 2010 at 3:57 PM, David Lum <[email protected]> wrote: > > > > I am very good at long “passwords”, and so is anyone that can type using > > correct punctuation. The biggest hindrance to long password use are > systems > > that limit the length of the password. > > > > > > > > Examples of complex long passwords include: > > > > > > > > I would like a beer from the refrigerator. Now. > > > > Why don’t you close the door ALL the way? > > > > You’re not wearing that outside, are you? > > > > The person watching me can’t believe how long this password is. > > > > > > > > And when it’s time to change the long password: > > > > > > > > I would REALLY like a beer from the refrigerator. Now! > > > > Why don’t you close the door ALL the way next time? > > > > You’re not wearing that outside, are you? Seriously? > > > > The person watching me really can’t believe how long this password is. > > > > > > > > Etc… > > > > > > > > I love how big people eyes get when they see my tying in my 27 character > > Windows password, I HATE the systems that limit me to 15 or less. > > > > > > > > Dave > > > > > > > > > > > > From: Jon Harris [mailto:[email protected]] > > Sent: Thursday, April 15, 2010 1:45 PM > > To: NT System Admin Issues > > Subject: Re: please don't change your password! > > > > > > > > Sounds like someone trying to generate reader interest and FUD. A quick > > search seems he likes controversial subjects/items. Since passwords are > the > > defacto standard for most Internet sites for protection of customers. I > see > > no reason for someone to keep the same password for ever. Unless you are > > good at generating very long complex passwords. > > > > > > > > Jon > > > > On Thu, Apr 15, 2010 at 4:37 PM, Brian Clark < > [email protected]> > > wrote: > > > > After a long week doing a SBS migration I didn't know how to take this > > article and needed to share it!! > > > > > > > > > http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=1 > > > > > > > > > > > > Brian > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
