Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Security procedure question

from [Ken Kousky] Network Security [Permanent Link]
Subject: RE: Security procedure question
Date: Mon, 25 Sep 2006 20:17:56 -0400 
One way to discourage users from writing down passwords is to stop the
idiotic practice of expecting them to remember strong passwords - they
can't! So if you're imposing a policy of strong passwords you must assume
they'll be written down. Strong passwords are a token.

Strong passwords, by definition can't be remembered. They have to change
frequently and they're not to be used on multiple systems which would expose
them to the "weakest link" syndrome. 

Here's Kousky's Algorithm - we've been teaching it for five years and it's
still better than most simple alternatives.

One option to help is to let them write them down - even tape them to their
machines, but leave a four digit pin missing from the string. It can be
after each capital letter in the string so what is written down is:

Kw3$34Q3@AS

But the real submitted password requires my four digit pin: 1234 be inserted
after each capital letter ... that is, after the K goes a 1, after the Q
goes the 2, etc.

Real submitted string is 

K1w3$34Q23@A3S4

If you don't get over the crazy idea of strong passwords you're part of the
problem. We need strong strings to submit over the wire or on a laptop and
that can best be served by multifactor solutions. 

We consider this one and a half factors. Strong factors are hard to
duplicate and you know if they're missing. 

You might also check out our paper for '02 - "Strong Passwords are an
Oxymoron" 

Regards

KWK
IP3 Inc.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Mario A. Spinthiras
Sent: Monday, September 25, 2006 7:52 AM
To: MandommGmail
Cc: security-basics@securityfocus.com
Subject: Re: Security procedure question

Even so if the method i mentioned previously on this thread is applied , 
even if the user is foolish enough to avoid or unable to understand and 
apply the theory of a password then maybe they shouldn't be working 
anywhere near computers - but thankfully for the unbelievably stupid my 
method works since it applies to the following criteria:

1. Who you are (Biometric authentication)
2. What you know (The password of the unintelligent ignorant user)
3. What you have (The usb stick with the key on it)


To my opinion, any user not following a company's security policy should 
be either arrested for possible industrial espionage and/or sabotage of 
the company. The minimum impact should be his/her dismissal from the 
company as an employee.

Regards,
Mario A. Spinthiras







MandommGmail wrote:

 I'm concerned about a user leaving the id and password on paper in or 
near the laptop.

There is no way one can defend against a user who decides to stick a 
sticky pad on his laptop and leaves his password there. The best 
encryption tool does not defend against human stupidity.

Alex
----- Original Message ----- From: "Saqib Ali" <docbook.xml@gmail.com>
To: "Brown, Sam" <sbrown@ashe.ucla.edu>; <mario@netway.com.cy>; 
<lists@hwf.cc>
Cc: <security-basics@securityfocus.com>
Sent: Friday, September 22, 2006 1:26 AM
Subject: Re: Security procedure question



If you don't mind, can I ask what product you selected? There are some
full/whole disc encryption implementations that support TPM. See the
URL for description:


http://en.wikipedia.org/wiki/FDE#Full_disk_encryption_and_Trusted_Platform_M
odule 



If your laptops are TPM enabled the full disc encryption software can
wrap the decryption key with TPM, so the user won't have to remember
or note down an extra username/password.

On 9/20/06, Brown, Sam <sbrown@ashe.ucla.edu> wrote:

We're going to be deploying whole disk encryption to our laptops so 
I am
interested in hearing how others have distributed the software
encryption ID's and passwords to users.  I'm concerned about a user
leaving the id and password on paper in or near the laptop.

Sam Brown




--------------------------------------------------------------------------- 


This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic 
Excellence
in Information Security. Our program offers unparalleled Infosec 
management
education and the case study affords you unmatched consulting 
experience.
Using interactive e-Learning technology, you can earn this esteemed 
degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus


--------------------------------------------------------------------------- 







-- 
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------



--------------------------------------------------------------------------- 


This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic 
Excellence in Information Security. Our program offers unparalleled 
Infosec management education and the case study affords you unmatched 
consulting experience. Using interactive e-Learning technology, you 
can earn this esteemed degree, without disrupting your career or home 
life.

http://www.msia.norwich.edu/secfocus


--------------------------------------------------------------------------- 









---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Best single source of current infosec news?, Ivan .
Next by Date:  RE: Changing user password policy, Paul Sutton
Previous by Thread:  Re: Security procedure question, Mario A. Spinthiras
Next by Thread:  Re: Security procedure question, Daniel DeLeo
Indexes:  [Date] [Thread] [Top] [All Lists]