[olug] The Usability of Passwords

Dave Rowe dave at roweware.com
Wed Mar 30 22:12:26 UTC 2011 

On Wed, Mar 30, 2011 at 5:02 PM, Obi-Wan <obiwan at jedi.com> wrote:

> >> I was a BOFH before I ever read The Reg....
> >> http://www.theregister.co.uk/odds/bofh/
>
> BOFH predates the world wide web, never mind the Register.
>
> > Congratulations?  No offense, but had I been the VP of Sales you
> mentioned,
> > it would have been you that had the bad day.  Requiring a policy where
> the
> > only to remember the password is a post-it note, is a sign of a problem,
> > that lies NOT with the user.
>
> And not necessarily with the sysadmin, either.  At the hospital, if a
> VP came down to complain about the password policy, we'd just wave the
> HIPPA banner in their face & they'd back down.  Compared to jail time,
> having to reset your password really isn't all that painful.  Please
> remember the potential consequences of a security breach before you
> complain too loudly.  If it was *your* identity that got stolen because
> somebody else let a hacker in, you'd want their head on a platter.
>
>
You're right - I'm not debating whether a password policy should / should
not be enforced.  I'm simply debating whether requiring password changes
every 30 days, requiring special characters, etc, actually _improves_
security against threats versus something like locking accounts, or delaying
like the article mentions.


> > I am genuinely curious - for other admins on the list - given a lock out
> > scenario / delayed re-attempts (as noted in the original article) - how
> > _drastically_ important is the overly complex password scheme?
>
> Long password length (provided it doesn't fail a simple dictionary test)
> is more important than password complexity.  Using an entire line from
> my favorite song (which no longer gets any air play) is much more secure
> than six random characters, and it's a heck of a lot easier for me to
> remember.  The problem here is that too many brain dead web sites actually
> cap your password length in the single digit range, or prohibit you from
> using punctuation, or...
>
> > Even the
> > password change scheme?  What makes a reasonably complex password (like
> > oranges75) go bad after 30 days?
>
> Why expire after 30 days?  Because social engineering is still the #1
> method for obtaining somebody's password.  I can generate the world's
> most secure password by having my cat jump on my keyboard for 30 seconds,
> but that won't matter if I willingly tell that password to the first
> caller who claims to work for my company's I.T. dept.
>
>
Social engineering is going to break any system no matter the timeframe.
 That assumes the person calling is going to wait to use the password, which
I would say is extremely unlikely.  I can see the need to change a password
_periodically_, but every 30 days will likely force users into using a
pattern, and if blocked, using other means (ie, writing it down, password
manager, etc) which doesn't help.


> --
> Ben "Obi-Wan" Hollingsworth                             obiwan at jedi.com
>   The stuff of earth competes for the allegiance I owe only to the
>     Giver of all good things, so if I stand, let me stand on the
>       promise that You will pull me through.  -- Rich Mullins
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list