[nycbug-talk] NY Times article on passwds

George Rosamond george at ceetonetechnology.com
Mon Sep 6 19:56:04 EDT 2010


Kind of interesting. . .

http://www.nytimes.com/2010/09/05/business/05digi.html?_r=1&scp=1&sq=randall%20stross&st=cse

Certainly passwds and related policies aren't everything.  Lockout 
policies, ssh keys, etc., certainly matter.

The open questions to me, though:

1.  Cracking passwds remains a common method (the most?) of accessing 
systems without authorization.  And it's not only via brute forcing. 
Acquaintances are also an issue for many end-users, I'd guess.

2.  With that in mind, it's been said, probably by Schneier, that 
technical security is the only war in which the civilians are on the 
front lines.  Now, they're not the only ones on the front lines, of 
course, but they are the most common threat for network.  And that 
includes sloppy devs and sysadmins with access they don't appreciate.

3.  Why would you discourage people from using better security 
practices?  Consciously stupid passwds could easily mean that the 
lockout policy is irrelevant.

4.  And for the online service providers that don't require passwd 
complexity, I'd bet they approach it on the cost-benefit angle. 
Individual accounts get cracked?  Oh, well.  It's not a high-publicized 
case.  We'd rather deal with the fall-out through the molasses-dripping 
like customer service process, instead of costing us an arm and a leg 
with customers forgetting and reforgetting complex passwds.  Sort of 
like Lee Iaccoca and Ford deciding it was cheaper to settle the 
exploding Pintos in and out of court instead of doing a recall.

5.  Run a crack on thousands of logins with two common passwds. . . who 
cares about lock policies?

g



More information about the talk mailing list