«

»

Jan 07

Security Quick Note

I think that every network security department operates under the following motto:

“If you can do you’re job, we’re not doing ours.”

The customer I’m with has instituted a massively long password scheme. Now I’m not going into details, because that would be telling and would give even the greenest of hackers enough to walk right in.

My point is this. If you make a password scheme overly complicated or tedious, what you’re going to find, and I say this as an absolute, that 20-40% of your users will WRITE THEIR PASSWORD DOWN AND PUT IT WITHIN REACH OF THEIR WORKSTATION.

Hello social engineering.

2 comments

  1. Han Solo

    Actually, there is a school of thought that I personally agree with that a single very complex password is worth about 10,000 easy to remember but changed every 30 days passwords.

    Allowing people to create a very complex one and then keeping it for a long time and memorizing it is much better than forcing them to change a simple one very 30 days and ending up with “fido01”, “fido02”, etc.

    1. Jesse

      I believe that passwords should be complicated enough to keep brute-force attacks from working. But come on now – a single symbol decreases the chances of a bruteforce attack working.

      But don’t overcomplicate it. All you’re doing then is increasing the chances of it being written down somewhere obvious.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>