 PhoenixDown-- Wants FIOSPremium
join:2003-06-08
Fresh Meadows, NY
kudos:1 | reply to koam
Re: Please don't change your password. At work, I have over a dozen different user names and passwords. Most have to be changed monthly, you can't reuse similar combinations, some require special characters and capitalization while others can't accept it and oh yeah, they have different lenght requirements. Some are 6, others 8, the rest differ too.
I gave up. I keep a text file with them.
--
~ Insert a Funny Sig Here ~ |
|
|
|
 pnjunctionTeksavvy ExtremePremium
join:2008-01-24
Toronto, ON
kudos:1 | reply to koam
What I don't get about complex passwords is what system will let you 'hammer' it to guess an easy password anyways?
I don't see the point of making the password something that will take 36^16 attempts to guess instead of 10^6 if the system isn't vulnerable to brute-forcing anyways.
Something someone could hammer like a WLAN key OK fine (go ahead and put it in a txt file though), but a website or system login that will lock the account after 3-5 tries, what's the point?
It's most likely someone will get the password from a keylogger or other method and the complexity won't help (or make it worse with post-its or txt files). Sometimes these things are put in place without much thought. Oh but the password has to be complex and change constantly! But why? |
|
1 edit | reply to KrK
Said by KRK
"By the time they are done you will never ever be able to login to that site again!"
^^2nd^^ |
|
Reviews:
 ·Cybersurf Intern..
| reply to koam
Password policy in a sin graph for corporate password policy.
If your password policy allows the CEO or admins have a password of 123456. You're just asking for all your data to be destroyed.
If your policy is 32 digit superstrong. You spend all day resetting passwords.
Your company's liability and risk dictates where you come in on that graph.
Accouting company? 16 digit strong likely.
Pizzaria? 6 digits lol.
--
--
if (value == 0)
return value;
else
return 0; |
|
| reply to koam
"Password invalid: That one can only be used during a full moon." |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4
1 edit | reply to koam
I don't change my passwords. I write them all down and keep them in a folder near me. I don't use browsers to save them. That is guaranteed to mess you up. I find it a HUGE hassle as I have to look up the password for most sites every time as I don't remember them and I have a different one for each site. I have websites keep me logged in forever so usually if somehow I get logged out at a website, I have to look up the password because I never logout and haven't entered the password in months at some sites. This site is the ONLY site where I remember my password because this site not only makes you confirm your password periodically but also won't let you have more than a few simultaneous logins active here so I am constantly getting logged out here and thus I remember the password for here. I've had the same password here since I joined this site.
I wish we had no passwords except for banking sites. The hassle to keep someone from posting as me is really not worth it.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Reviews:
·ELECTRONICBOX
| reply to koam
You plan for failure when you ignore human behaviour. Make things complicated for people, they will make THEIR lives easier. So every 30 days, people pick a real dumb password. 4pril2010* m4y2010* jun32010* ju1y2010* (worse, April2010* May2010* June2010*). Or as many stated, post-it. Either way, you end up satisfying your (and some incompetent auditor's) interpration of SOX compliance or some other standard at the cost of real security. Same result as the oh so famous statement of the paperless office.
(personal rant; don't mind me)
Phil |
|
horsemouthPlease Clarify My CSPPremium
join:2002-03-13
canada | reply to PhoenixDown
said by PhoenixDown:At work, I have over a dozen different user names and passwords. Most have to be changed monthly, you can't reuse similar combinations, some require special characters and capitalization while others can't accept it and oh yeah, they have different lenght requirements. Some are 6, others 8, the rest differ too. I gave up. I keep a text file with them. I also have 12 also at work. YEA text file.
To make matters worse all 12 have different parameters.
If I see one I know the program it is for. |
|
| reply to TakeTheFifth
said by TakeTheFifth:You plan for failure when you ignore human behaviour. Make things complicated for people, they will make THEIR lives easier. So every 30 days, people pick a real dumb password. 4pril2010* m4y2010* jun32010* ju1y2010* (worse, April2010* May2010* June2010*). Or as many stated, post-it. Either way, you end up satisfying your (and some incompetent auditor's) interpration of SOX compliance or some other standard at the cost of real security. Same result as the oh so famous statement of the paperless office. (personal rant; don't mind me) Phil That's why as an auditor you run a password cracking tool that gives you the time to brute force the password. If it is within acceptable ranges, the password is complex or long enough to satisfy.
The question is can I leverage another vulnerability to gain a copy of the machines encrypted password list to then take offline and brute force with my array of PS3s.
The idea is if I can on average brute force your password in 100 days but you rotate passwords every 90 then my control has mitigated the threat.
Security is about layered defense from multiple attack vectors.
With that said, munky's post is spot on. It's about properly defining risk, cost of the risk being realized, placing controls to reduce the risk if the cost of the control is less than the cost of the risk being realized, and finally management accepting liability for any residual risk.
said by munky99999:Password policy in a sin graph for corporate password policy. If your password policy allows the CEO or admins have a password of 123456. You're just asking for all your data to be destroyed. If your policy is 32 digit superstrong. You spend all day resetting passwords. Your company's liability and risk dictates where you come in on that graph. |
|
 tschmidtPremium,MVM
join:2000-11-12
Milford, NH
kudos:5
·Fairpoint Commun..
 ·Hollis Hosting
| said by Uncle Paul:The idea is if I can on average brute force your password in 100 days but you rotate passwords every 90 then my control has mitigated the threat. I agree with that argument on cryptographic grounds but as others have posted it ignores how people actually manage passwords. The best security policy is one that effectively reduces risk with minimal impact on productivity and employee/customer morale.
I think a distinction needs to be made as to likely mode of attack. If attacker is able to compromise the system, or somehow retrieve encrypted data they can attack at their leisure then strong passphase is important. In that case I would not rely on human passphase generation.
If on the other hand you are talking about logging into a system remotely where the number of incorrect log in attempts are limited then even weak passphases are fine. Weak easy to remember passphase may be better then a cryptically strong one if user is able to remember it rather then keep a written copy in a vulnerable area.
said by Uncle Paul: Your company's liability and risk dictates where you come in on that graph. That is true. The sad fact of life is that most companies have a difficult time taking security seriously. A classic case is banks sending unencrypted data tapes between locations. This made the headlines several years ago when a shipment went missing.
/tom |
|
| said by tschmidt:said by Uncle Paul:The idea is if I can on average brute force your password in 100 days but you rotate passwords every 90 then my control has mitigated the threat. I agree with that argument on cryptographic grounds but as others have posted it ignores how people actually manage passwords. The best security policy is one that effectively reduces risk with minimal impact on productivity and employee/customer morale. I believe the best security policy and procedures are those that effectively reduces identified risk in a cost effective manner. Impact on productivity, employee/customer morale, additional risk resulting from the policy/procedure should be converted (either quantifiable or quantifiable) to cost so that a proper evaluation can be made. Then management chooses. As security professions it's typically not our job to accept risk.
said by tschmidt:I think a distinction needs to be made as to likely mode of attack. If attacker is able to compromise the system, or somehow retrieve encrypted data they can attack at their leisure then strong passphase is important. In that case I would not rely on human passphase generation. If on the other hand you are talking about logging into a system remotely where the number of incorrect log in attempts are limited then even weak passphases are fine. Weak easy to remember passphase may be better then a cryptically strong one if user is able to remember it rather then keep a written copy in a vulnerable area. The problem here is you don't know when that SQL Injection attack or Adobe vulnerability or inattentive click happy user will allow access to your password hashes. I understand the issue with human nature of writing down passwords and I suppose that's where an administrative control comes in. Or a good risk analysis with costing comes into play.
What is the risk/likelihood/cost of someone coming into an office and selecting the user that has the written down password and that person having the rights do do damage? What is the risk/likelihood/cost of someone leveraging a SQL Injection or XSS vulnerability to obtain an application's password hashs? What is the cost in damage, downtime, or reputation should any of those occur? What physical, technical, or administrative controls do you have in place to reduce the risk/cost?
Security is supposed to be a measured scaling approach to handling risk. You can't say oh we're spending to much money and resources on security. How much time and money you spend is directly related to the management's tolerance for accepting risk. |
|
