Date: Sun, 14 Jan 2001 03:58:21 -0800 From: Steve Reid <sreid@sea-to-sky.net> To: Frank Tobin <ftobin@uiuc.edu> Cc: Dru <genisis@istar.ca>, security@FreeBSD.ORG Subject: Re: opinions on password policies Message-ID: <20010114035821.A79825@grok.bc.hsia.telus.net> In-Reply-To: <Pine.BSF.4.31.0101131726030.40290-100000@palanthas.neverending.org>; from Frank Tobin on Sat, Jan 13, 2001 at 05:35:51PM -0600 References: <Pine.BSF.4.21.0101131321210.89486-100000@genisis> <Pine.BSF.4.31.0101131726030.40290-100000@palanthas.neverending.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote: > If forced to remember another password, most users (including myself) > will often re-use a password they use at another place. If you let a user pick a password, nine times out of ten they will pick a word or name, and if you're lucky they might append a single digit or "123". If you just enforce that it be random-looking then it is likely that you will have users picking passwords that only _look_ random but aren't actually very hard to guess. For example, some combination of initials and DoB or anniversary. Compounding the matter, many people like to discuss their innovative password selection techniques with others, to show off their cleverness. They feel safe in doing so because they think that their password is effectively unguessable (they wouldn't have chosen it otherwise). I have been guilty of all of the above at one time or another. In fact, I'm about to commit that last one right now... :) I prefer to assign passwords. Generate a random password and then you know exactly how much entropy is there, and that users aren't just re-using a password from somewhere else. Of course, nobody wants to go to the trouble of memorizing a random eight-character alphanumeric string. So, users are instructed to write down the password on a small slip of paper. "But what happens if they lose that slip of paper?", I hear you ask. They are instructed to keep it in their wallet, where it is no more likely to go missing than their drivers licence or their bank card, and in the event of a theft the cash and credit cards are more interesting than a slip of paper. IMHO it's the lesser of several evils. It doesn't prevent lusers from memorizing that strong, randomly generated password and using it for everything, thus defeating the whole purpose. Or accidentally entering their password at the wrong system (although having to read it from a slip of paper may make that less likely). Or sticking the slip of paper to their monitor for all to read. But, I don't think there is any enforcable password policy that can prevent those things. Two-pronged "what you have" plus "what you know" authentication is a better approach, but for now most of us are stuck with just passwords. P.S. A few years ago I was bringing in a server for install at a colocation. All of the machines there were stored in locked, air conditioned cabinets. But the doors were made of glass, so I could see all of the machines as I walked by. On several of them I saw masking tape or yellow post-it notes bearing account names and passwords, including at least one where the account name was "root". There was even one with step-by-step instructions to login via telnet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010114035821.A79825>