[nycbug-talk] NY Times article on passwds

Francisco Reyes lists at stringsutils.com
Sat Sep 11 11:08:47 EDT 2010

George Rosamond writes:

> 3.  Why would you discourage people from using better security 
> practices?  Consciously stupid passwds could easily mean that the 
> lockout policy is irrelevant.

Even with lockout policies if someone uses 'password' as their password even 
with lockouts, there is a good chance the account will get hacked.
> like customer service process, instead of costing us an arm and a leg 
> with customers forgetting and reforgetting complex passwds.  Sort of 
> like Lee Iaccoca and Ford deciding it was cheaper to settle the 
> exploding Pintos in and out of court instead of doing a recall.

And sadly, that is likely a valid thought. However, even those places that 
are lax on their password policy I would think they should at least have a 
list of words they don't allow as passwords.
> 5.  Run a crack on thousands of logins with two common passwds. . . who 
> cares about lock policies?

Before I switched ssh from 22 to another port I used to see daily attempts 
on the logs to hundreds of different user accounts. So I think that 
scenario, try lots of different users, is a common practice.

More information about the talk mailing list