Date: Sat, 13 Jan 2001 17:35:51 -0600 (CST) From: Frank Tobin <ftobin@uiuc.edu> To: Dru <genisis@istar.ca> Cc: <security@freebsd.org> Subject: Re: opinions on password policies Message-ID: <Pine.BSF.4.31.0101131726030.40290-100000@palanthas.neverending.org> In-Reply-To: <Pine.BSF.4.21.0101131321210.89486-100000@genisis>
next in thread | previous in thread | raw e-mail | index | archive | help
While this may not be applicable to your situation, I feel that the best policy is to demand public-key authentication. The reason for this is to limit the human factor, not demanding the user remember yet another unique password. If forced to remember another password, most users (including myself) will often re-use a password they use at another place. If your system is compromised, you do not to help the attackers, who are now likely, get into other accounts the user might have other places because they reused the pasword. On the flip side, it would be best that if the user was compromised someplace else, it won't help the attackers use the authentication information to get into the victim's account on your system. Public-key systems prevent this sort of "chain-reaction" account breakage. -- Frank Tobin http://www.uiuc.edu/~ftobin/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0101131726030.40290-100000>