Re: Passwords & Passphrases

[Benjamin Bennett <ben () PSC EDU>]

Gene Spafford wrote:
> I track these things, and I cannot recall the last time I saw any report
> of an incident caused by a guessed password.  Most common incidents are
> phishing, trojans, snooping, physical theft of sensitive media, and
> remote exploitation of bugs.

I see intrusions as a result of guessed passwords probably a couple
times a year.  IIRC, they have always been horrendously weak passwords
and come with a statement such as "I didn't realize that service was
remotely accessible" or "it was supposed to be temporary"

Many people are not aware of the methods used by attackers, or even why
someone would want to attack their machine.  To these people measures
such as passwords are simply a hassle they don't want to deal with, one
that is minimized by choosing "password" or "changeme".

Take your environment into account when outlining a password policy.  If
your users are all security-minded folks (by choice or by having it
beaten into them), perhaps you don't need the policy.  If some portion
of your users are the type I just described and you see these types of
incidents, perhaps a policy is well worth your time.  Oh, and if those
users tend to be fluent in other languages you may want to include
foreign dictionaries in your policy as well.

--ben

Attachment: signature.asc
Description: OpenPGP digital signature