[olug] The Usability of Passwords
Dave Rowe
dave at roweware.com
Wed Mar 30 13:17:19 UTC 2011
On Wed, Mar 30, 2011 at 1:12 AM, Kevin D. Snodgrass
<kdsnodgrass at yahoo.com>wrote:
> --- On Tue, 3/29/11, Jay Hannah <jhannah at mutationgrid.com> wrote:
> > An excellent article:
> >
> > http://www.baekdal.com/tips/password-security-usability
>
> Would be much better without all the typos. </rant>
>
> I have several extremely hard to hack passwords. 8+ characters, alpha,
> numeric, special, etc. Some less hard, but those are used in secure
> environments (my home systems) or where being cracked won't ruin my day.
>
> At a former job as Network Admin, I required 8 characters, changed every 30
> days, no reusing of old. And if I ever caught someone with a post-it note
> password their network access was shut off instantly. The VP of Sales was
> NOT happy one day... :-)
>
> Kevin D. Snodgrass
Oh man, and you and I would not get along :/ - The problem I see (and have)
with passwords requiring alphanumeric, capitals, and special characters is
I'm _constantly_ using the reset password functionality - which annoys the
living daylights out of me. The changing every 30 days seems that it would
make the users use a pattern in their passwords, with an ever incrementing
value - especially if it is a password they use every day. I know I did
when I had to conform to that level of password policy.
Why not, instead, institute a policy that after 3 - 5 failed logins the
account is locked. Let the users use whatever password they want, and if
people are constantly getting locked out because of hacking attempts, you
have a pattern to eliminate the access for the hacker, and prevent the
dictionary attack from going beyond 5 words.
That is the one thing that dictionary attacks always assume, that you'll
just let the attacks continue to stream in. Why not stop the attacks? As a
plain example that I use, DenyHosts...3 failed attempts at SSH, and you're
blocked from accessing SSH before you get a prompt. In those cases, I could
use a password like 'oranges75' and be just as safe as 'idnn378dg38@
*#(l2nd93hd'
-Dave
More information about the OLUG
mailing list