Security Basics mailing list archives
RE: Hashing passwords
From: "Mikhail A. Utin" <mutin () commonwealthcare org>
Date: Wed, 13 Jun 2012 12:09:22 -0400
I would not personally trust THIS article. Not because it comes from the company having the nick M$, but because ofits poor educated personnel. That possibly has roots in its former president and founder, who did not manage to finish even 4-years college. Writing such articles discussing security cost/benefits requires the understanding of exposure/losses. They are completely statistically based, but, unfortunately, such statistics are not known. If the author took a course of probability theory basics and did home work, he would understand that first of all he need to get reliable statistics for each specific security event, for instance a probability of a user getting "phished", and then correlated statistics for getting infected by one of millions of known and unknown malware. The he needs to know losses for each phishing event, which do depend on a business size, IT infrastructure, installed AV software, user education, etc., etc. So far, I have not seen any such statistics or databases. Such database would be a matrix of billions of security events by billions of exposures. We even do not have REAL number of all phishing attempts and the number of successful attack cases in the US. Writing such articles is an easy process of misleading people by speculating on unreliable set of facts or statistics. We definitely can say that having AV software is right and protects one's computer. How much? For a set of known viruses it is basically known, because such research is done both vendors and independent organizati0ons (for instance, AV Comparative). However, when it comes to correlation with phishing ... So, simple matter of phishing mentioned in the article in question is not really simple when we discuss that geared with math and common sense. Not having either or both leads to such articles. Summary: where ever you see people talking about security risks, losses and benefits using numbers (like quantitative risk analysis) , think about "billion by billion" matrix. Best regards Mikhail Utin, CISSP, PhD -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kai Wirt Sent: Tuesday, June 12, 2012 2:30 PM To: security-basics () securityfocus com Subject: Re: Hashing passwords
Just also revise enforcing password changing rules (every after 30 days) on your site and strong passwords(no less then 8 characters, special characters, upper cases,numbers and symbols) , this helps when attackers try brute forcing, so by the time they crack the password its no longer in use...
There's an interesting paper on this topic: http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf In short, most of the password rules employed today are mostly annoying to users and don't really improve security. CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Hashing passwords haZard0us (Jun 11)
- Re: Hashing passwords Ansgar Wiechers (Jun 11)
- Re: Hashing passwords Rory Browne (Jun 11)
- RE: Hashing passwords Liam Randall (Jun 12)
- Re: Hashing passwords martin . mngoma (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Kurt Buff (Jun 12)
- Re: Hashing passwords Ansgar Wiechers (Jun 13)
- Re: Hashing passwords Kurt Buff (Jun 13)
- Re: Hashing passwords Alexander Klimov (Jun 13)
- Re: Hashing passwords Rory Browne (Jun 11)
- RE: Hashing passwords Mikhail A. Utin (Jun 13)
- Re: Hashing passwords Kai Wirt (Jun 13)
- Re: Hashing passwords Ansgar Wiechers (Jun 11)
- Re: Hashing passwords gold flake (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Message not available
- Re: Hashing passwords Jennifer Wachter (Jun 12)
- RE: Hashing passwords Dave Kleiman (Jun 12)