Post #204,372
4/21/05 7:47:02 PM
|
Re: Let's say I'm a bad guy
If I'm the bad guy, I love policies like this. By making passwords harder to remember, people are pretty much forced to write their passwords down. All I need to do is get access to their offices, where I can look at the post-its on their monitors, look under their keyboards, or open their desk drawers.
|
Post #204,383
4/22/05 7:44:21 AM
|
BINGO!
If you have a strong password initially and you have a lockout after a few attempts, there is no point in constantly changing unrememberable passwords. It just makes things worse.
|
Post #204,397
4/22/05 9:37:09 AM
|
Yep, during security audit at gov agency I worked at
the investigators explained they came up with over 50 valid logins without ever turning on a computer just by walking around the office after hours.
"Whenever you find you are on the side of the majority, it is time to pause and reflect" --Mark Twain
"The significant problems we face cannot be solved at the same level of thinking we were at when we created them." --Albert Einstein
"This is still a dangerous world. It's a world of madmen and uncertainty and potential mental losses." --George W. Bush
|
Post #204,410
4/22/05 10:57:58 AM
|
What's the alternative?
I hear the chorus, "this is stupid. it's to hard to remember. bad guys might take advantage of it." What alternative do you propose? What do you think will be simple enough that users won't write down passwords on post-it's? In my experience, there is no such animal. They will do that even if you only require a single character.
----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken
Support our troops, Impeach Bush. D. D. Richards
|
Post #204,413
4/22/05 11:12:12 AM
|
Yeabut requiring frequent changes makes it worse.
A reasonably complex password is required, but realistically it's probably necessary - in addition - to have an audit policy in place. Is there suspicious usage of accounts? Are account being used in new and unexplained ways?
I don't know how you'd do that in an automated fashion that would be smart enough to catch unusual usage. I expect that few companies would be willing to dedicate a person or more to watching account activity.
Maybe an additional statement like: "All activity on the corporate computers may be logged. You are responsible for the security of your account. Treat it like your Social Security number..." would help people to take passwords seriously.
IMO, having a reasonably complex password that people can remember is much more important than changing them every 30 days. If they're complex and frequently change, then people will make cheat sheets. If things are audited, then I think yearly password changes are more than sufficient (and/or requiring changes when people leave).
Cards or fingerprint readers is probably much more secure than complex, frequently changed passwords, given human nature.
My $0.02.
Cheers, Scott.
|
Post #204,426
4/22/05 11:44:09 AM
|
As I said before
I would prefer complex passwords with a lengthy expiration. I am constrained by corporate policy in this matter and can only relay to my users the requirements.
----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken
Support our troops, Impeach Bush. D. D. Richards
|
Post #204,429
4/22/05 11:45:27 AM
|
Understood. :-)
|
Post #204,415
4/22/05 11:15:29 AM
|
single signon with a 90 day passwd expiration
8 char minimum must contain alphanumeric and one special character. Pine4est! Me1ikebeer! as examples. thanx, bill
All tribal myths are true, for a given value of "true" Terry Pratchett [link|http://boxleys.blogspot.com/|http://boxleys.blogspot.com/]
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 48 years. meep questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
|
Post #204,430
4/22/05 11:46:37 AM
|
Single signon is a happy dream
I would love it if it were so but I have no expectation of it happening anytime in the near future.
----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken
Support our troops, Impeach Bush. D. D. Richards
|
Post #204,432
4/22/05 11:57:02 AM
|
Problem with SSO
You now have to educate users to lock computer when the walk away. Otherwise, anyone will have their access if the happen to catch workstation unattended. I will not use SSO, I'd rather log in to each application/system myself.
Here SSO is being actively pushed/encouraged. All new apps MUST be SSO compatible.
A good friend will come and bail you out of jail ... but, a true friend will be sitting next to you saying, "Damn...that was fun!"
|
Post #204,480
4/22/05 1:48:35 PM
|
Pretty much everyone will write it down anyways
Computer-knowledgeable people excluded (somewhat).
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|