[ale] OT - New encryption technology using a piece of paper

Michael H. Warfield mhw at WittsEnd.com
Sun Sep 4 20:56:58 EDT 2011


On Sun, 2011-09-04 at 19:49 -0500, Pat Regan wrote: 
> On Sat, 03 Sep 2011 20:06:56 -0400
> "Michael H. Warfield" <mhw at wittsend.com> wrote:
> 
> > The forced changes provide no benefit and yet add that little tiny
> > extra opportunity of additional threat.  And, yes, there are password
> > sniffers that will fire on password changes so they follow your
> > changes as you make them.  Factor it in how you will.

> A company I used to work for about a decade ago had a 60 or 90 day
> schedule on their forced password changes.  The requirements for the
> passwords weren't very strict, either.

> Most of the customer service people ended up teaching each other the
> same password scheme of current month+year (jan99, for example).  Since
> those passwords were good for 60 or 90 days, you could walk out on that
> call center floor and guess almost anyone's password in 2 or 3 tries.

In my talks on this, I try to dance around it a little bit without being
as blatant as that, but you are absolutely correct.  Forced expiration
and password changes invariably force most users into predictable
patterns which are of no benefit and often just the opposite.

The other effect, when password strength/complexity checkers are not
enforced, is the "jumping in front of the bus effect".  Small but real,
it's the case where a user is forced to change his password and he
changes it to one that the attackers are using to guess...  Powned...

> Pat

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110904/659886d1/attachment.bin 


More information about the Ale mailing list