Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Linking Password Length to Write-down probability

from [Gonzalo Martinez] Network Security [Permanent Link]
Subject: Re: Linking Password Length to Write-down probability
Date: Thu, 26 May 2005 17:46:03 -0300 
Hi Stian

A few days ago i read a post at slashdot:

"Microsoft's senior program manager for security policy, Jesper
Johansson, presents a provocative but interesting view on password
policy: He claims that prohibiting users from writing down their
passwords is bad for security. His main point is that if users are
prohibited from writing down their passwords, they will use the same
easy to guess password everywhere." From the article: "Since not all
systems allow good passwords, I am going to pick a really crappy one,
use it everywhere and never change it...If I write them down and then
protect the piece of paper--or whatever it is I wrote them down
on--there is nothing wrong with that. That allows us to remember more
passwords and better passwords."
http://it.slashdot.org/article.pl?sid=05/05/24/2047228&tid=172

IMHO as a good BOFH you _MUST_ requiere that all employes use an
alphanumeric password (8 or 10 chars minimun)... if they dont his
emails, files, or anything else can be redirected to /dev/null ;)
No, seriously, i never heard of a "scientific analytical/statistical
research"  about this subject.
But take a look at the post on slashdot

good bye

-- 
Gonzalo Martinez

On 5/26/05, Stian Øvrevåge <sovrevage@gmail.com> wrote:

God morning list!

I continually read papers which advertise increased password lenghts (
and outrageous complexity requirements ) as The Solution(TM). I work
in a fairly large organization and I can safely acknowledge that even
8 character passwords with moderate complexity requirements are VERY
prone to beeing written un-encrypted and un-hashed on Post-Its, and
then safely contained, under the keyboard, or on the monitor. Which in
my humble oppinion is bordering to "stupid security".

I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards
and writing passwords down.

I've been doing a little Googling, but I can't seem to find any
scientific analytical/statistical research done on this particular
subject. Is anyone out there aware of any works done in this field? If
not, is there anyone intrested in conducting such a survey on the
behalf of the community?

Regards, Stian
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: user name from security logs, Greg Stiavetti
Next by Date:  Fiber optic security, Rob Trakil
Previous by Thread:  RE: Linking Password Length to Write-down probability, Ryan Platt
Next by Thread:  Re: Linking Password Length to Write-down probability, Nick Owen
Indexes:  [Date] [Thread] [Top] [All Lists]