Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Education End Users about Passwords - Was - RE: john the ripper
From: Byron Sonne <blsonne () rogers com>
Date: Tue, 09 Dec 2003 19:14:49 -0500

End User education is the greatest defense.

End user education is almost completely useless when it comes to passwords. Unless you live in a land where users are sensible ;)

I'm not just aimlessly capping on user communities; I've been an admin for over 10 years now in various places and people are all the same when it comes to passwords. That is to say that pretty much everyone sucks at password hygiene.

There's no way around this; all it takes is one day when they're in a rush and they're forced to change their password... so they write it down. From there a habit is formed. Next one gets written down. Perhaps someone nearby notices where they write them, and they get copied and/or passed around.

Make them too long, people write them down. Too short, they're easily cracked or guessed. Frequent password expiration? they get written down again. Infrequent? that's a security issue. Checked against a database of easily cracked passwords? they get written down. Forced inability to reuse patterns (ie. jan1a, feb2b, mar3c, etc.)? They get written down.

The only viable solution, in my opinion, is the use of some kind of token (a la SecureID) or biometrics (not fingerprint based, those are way too easy to fool). With tokens they can keep a more comfortable password and change it on a more comfortable basis, and it doesn't matter too much if it gets cracked since they still need to append the token information to the end of the password to authenticate. Facial recognition is unreliable. Eye scans are good, although I don't want to have to worry about someone ripping out my eyeballs to crack a system ;)

Cheap, easy, secure... pick two :)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]