Firewall Wizards mailing list archives
Re: "Proactive" Password Checking
From: Rick Smith <rick_smith () securecomputing com>
Date: Fri, 05 Nov 1999 09:40:30 -0600
At 06:19 AM 11/3/99 -0800, Jim Raykowski wrote:
Just got a strange request from the boss about password checking. ... He said that he read an article about a piece of software, that runs on NT, that automatically checks passwords every so often or however often you schedule it.
Checks passwords for what? Vulnerability to dictionary attacks (i.e. use of memorable words instead of textual gibberish)? In my experience, if you force people to use complicated, hard to remember passwords, and you force them to change them often, then a nonzero percentage will start writing their passwords down. Given that, you should modify user security policies and procedures to identify relatively safe ways of writing the passwords down. So you have to decide whether the bigger risk is an attack by someone with a password cracker or theft of a piece of paper with someone's password. If you really, really want to have hard to crack passwords and you want to avoid having them in writing, then leave passwords in place for a year or more at a time. That gives people a chance to memorize them. Once memorized, the pieces of paper will start to disappear, reducing the risk of one being found. Rick. smith () securecomputing com "Internet Cryptography" at http://www.visi.com/crypto/
Current thread:
- "Proactive" Password Checking Jim Raykowski (Nov 04)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 05)
- Re: "Proactive" Password Checking Bill Pennington (Nov 05)
- Re: "Proactive" Password Checking Stefan Wagner (Nov 05)
- Re: "Proactive" Password Checking Rick Smith (Nov 05)
- Re: "Proactive" Password Checking Alec Muffett (Nov 06)
- RE: "Proactive" Password Checking Anton J Aylward (Nov 06)
- RE: "Proactive" Password Checking Kurt Buff (Nov 06)
- Re: "Proactive" Password Checking Frank O'Dwyer (Nov 18)
- <Possible follow-ups>
- RE: "Proactive" Password Checking Moore, James (Nov 06)
- RE: "Proactive" Password Checking Russ (Nov 06)
- Re: "Proactive" Password Checking REID FOX (Nov 06)
- RE: "Proactive" Password Checking Moore, James (Nov 08)
- RE: "Proactive" Password Checking Russ (Nov 09)
- RE: "Proactive" Password Checking Eric Toll (Nov 10)
(Thread continues...)