[olug] The Usability of Passwords

Obi-Wan obiwan at jedi.com
Wed Mar 30 22:02:18 UTC 2011 

>> I was a BOFH before I ever read The Reg....
>> http://www.theregister.co.uk/odds/bofh/

BOFH predates the world wide web, never mind the Register.

> Congratulations?  No offense, but had I been the VP of Sales you mentioned,
> it would have been you that had the bad day.  Requiring a policy where the
> only to remember the password is a post-it note, is a sign of a problem,
> that lies NOT with the user.

And not necessarily with the sysadmin, either.  At the hospital, if a
VP came down to complain about the password policy, we'd just wave the
HIPPA banner in their face & they'd back down.  Compared to jail time,
having to reset your password really isn't all that painful.  Please
remember the potential consequences of a security breach before you
complain too loudly.  If it was *your* identity that got stolen because
somebody else let a hacker in, you'd want their head on a platter.

> I am genuinely curious - for other admins on the list - given a lock out
> scenario / delayed re-attempts (as noted in the original article) - how
> _drastically_ important is the overly complex password scheme?

Long password length (provided it doesn't fail a simple dictionary test)
is more important than password complexity.  Using an entire line from
my favorite song (which no longer gets any air play) is much more secure
than six random characters, and it's a heck of a lot easier for me to
remember.  The problem here is that too many brain dead web sites actually
cap your password length in the single digit range, or prohibit you from
using punctuation, or...

> Even the
> password change scheme?  What makes a reasonably complex password (like
> oranges75) go bad after 30 days?

Why expire after 30 days?  Because social engineering is still the #1
method for obtaining somebody's password.  I can generate the world's
most secure password by having my cat jump on my keyboard for 30 seconds,
but that won't matter if I willingly tell that password to the first
caller who claims to work for my company's I.T. dept.

-- 
Ben "Obi-Wan" Hollingsworth                             obiwan at jedi.com
   The stuff of earth competes for the allegiance I owe only to the
     Giver of all good things, so if I stand, let me stand on the
       promise that You will pull me through.  -- Rich Mullins

More information about the OLUG mailing list