From: Byron Sonne (blsonne@rogers.com)
Date: Tue Dec 09 2003 - 19:14:49 EST
> End User education is the greatest defense.
End user education is almost completely useless when it comes to
passwords. Unless you live in a land where users are sensible ;)
I'm not just aimlessly capping on user communities; I've been an admin
for over 10 years now in various places and people are all the same when
it comes to passwords. That is to say that pretty much everyone sucks at
password hygiene.
There's no way around this; all it takes is one day when they're in a
rush and they're forced to change their password... so they write it
down. From there a habit is formed. Next one gets written down. Perhaps
someone nearby notices where they write them, and they get copied and/or
passed around.
Make them too long, people write them down. Too short, they're easily
cracked or guessed. Frequent password expiration? they get written down
again. Infrequent? that's a security issue. Checked against a database
of easily cracked passwords? they get written down. Forced inability to
reuse patterns (ie. jan1a, feb2b, mar3c, etc.)? They get written down.
The only viable solution, in my opinion, is the use of some kind of
token (a la SecureID) or biometrics (not fingerprint based, those are
way too easy to fool). With tokens they can keep a more comfortable
password and change it on a more comfortable basis, and it doesn't
matter too much if it gets cracked since they still need to append the
token information to the end of the password to authenticate. Facial
recognition is unreliable. Eye scans are good, although I don't want to
have to worry about someone ripping out my eyeballs to crack a system ;)
Cheap, easy, secure... pick two :)
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT