From owner-freebsd-security Sat Jan 13 23:33:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id D355E37B400 for ; Sat, 13 Jan 2001 23:33:39 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id XAA00644; Sat, 13 Jan 2001 23:33:16 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101140733.XAA00644@spammie.svbug.com> Date: Sat, 13 Jan 2001 23:33:14 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: opinions on password policies To: ftobin@uiuc.edu Cc: genisis@istar.ca, security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 13 Jan, Frank Tobin wrote: > While this may not be applicable to your situation, I feel that the best > policy is to demand public-key authentication. The reason for this is to > limit the human factor, not demanding the user remember yet another unique > password. If forced to remember another password, most users (including > myself) will often re-use a password they use at another place. > This is not a good policy. For small infrasturcures (5-100 users), PKA might be acceptable. However, this is useful only if ALL users login remotely. Even then, PKA, such as used in SSH, has management problems. Getting back to password policies, do what you can. Studies such as: http://www.cs.wpi.edu/~cs513/f99cew/week12-crypt/week12-crypt.html Show that most public systems can be cracked easily with a simple dictionay attack. The best security policy is to expect systems with many users that you don't personally know (like universities) will be hacked. Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message