[nycbug-talk] NY Times article on passwds
lists at stringsutils.com
Sat Sep 11 11:08:47 EDT 2010
George Rosamond writes:
> 3. Why would you discourage people from using better security
> practices? Consciously stupid passwds could easily mean that the
> lockout policy is irrelevant.
Even with lockout policies if someone uses 'password' as their password even
with lockouts, there is a good chance the account will get hacked.
> like customer service process, instead of costing us an arm and a leg
> with customers forgetting and reforgetting complex passwds. Sort of
> like Lee Iaccoca and Ford deciding it was cheaper to settle the
> exploding Pintos in and out of court instead of doing a recall.
And sadly, that is likely a valid thought. However, even those places that
are lax on their password policy I would think they should at least have a
list of words they don't allow as passwords.
> 5. Run a crack on thousands of logins with two common passwds. . . who
> cares about lock policies?
Before I switched ssh from 22 to another port I used to see daily attempts
on the logs to hundreds of different user accounts. So I think that
scenario, try lots of different users, is a common practice.
More information about the talk