[nycbug-talk] NY Times article on passwds
George Rosamond
george at ceetonetechnology.com
Mon Sep 6 19:56:04 EDT 2010
Kind of interesting. . .
http://www.nytimes.com/2010/09/05/business/05digi.html?_r=1&scp=1&sq=randall%20stross&st=cse
Certainly passwds and related policies aren't everything. Lockout
policies, ssh keys, etc., certainly matter.
The open questions to me, though:
1. Cracking passwds remains a common method (the most?) of accessing
systems without authorization. And it's not only via brute forcing.
Acquaintances are also an issue for many end-users, I'd guess.
2. With that in mind, it's been said, probably by Schneier, that
technical security is the only war in which the civilians are on the
front lines. Now, they're not the only ones on the front lines, of
course, but they are the most common threat for network. And that
includes sloppy devs and sysadmins with access they don't appreciate.
3. Why would you discourage people from using better security
practices? Consciously stupid passwds could easily mean that the
lockout policy is irrelevant.
4. And for the online service providers that don't require passwd
complexity, I'd bet they approach it on the cost-benefit angle.
Individual accounts get cracked? Oh, well. It's not a high-publicized
case. We'd rather deal with the fall-out through the molasses-dripping
like customer service process, instead of costing us an arm and a leg
with customers forgetting and reforgetting complex passwds. Sort of
like Lee Iaccoca and Ford deciding it was cheaper to settle the
exploding Pintos in and out of court instead of doing a recall.
5. Run a crack on thousands of logins with two common passwds. . . who
cares about lock policies?
g
More information about the talk
mailing list