Main > Everything Else
Password requirements are getting ridiculous
ChadTower:
--- Quote from: CheffoJeffo on September 18, 2008, 01:26:45 pm ---Let's see ... so far you have suggested writing down passwords on paper and common authentication schemes as good security practices.
I know that you have done a lot of things in your life, but I think that data security, like hauling MDF, ain't one of them. ;)
I'll put my properly-encrypted password management repository up against both paper and central authentication every day of the week.
--- End quote ---
Common authentication is considered good enough when you're already within security - I was specific about that. If you don't like that then I suggest you take it up with corporations all over the world.
I suggested paper specifically for shmokes - if you don't like that, find a better way for someone who sits in various public labs on a regular basis.
Security is very context dependent, as I'm sure your password management repository is aware. I'm also sure it doesn't run off a thumb drive shmokes could carry around with him.
CheffoJeffo:
--- Quote from: ChadTower on September 18, 2008, 01:56:08 pm ---Common authentication is considered good enough when you're already within security - I was specific about that. If you don't like that then I suggest you take it up with corporations all over the world.
--- End quote ---
I think you are mistaking convenient business practice for good security practice.
--- Quote from: ChadTower on September 18, 2008, 01:56:08 pm ---Security is very context dependent, as I'm sure your password management repository is aware. I'm also sure it doesn't run off a thumb drive shmokes could carry around with him.
--- End quote ---
Actually, the file *is* stored on a thumb drive ... my point was that, with proper and secure encryption and authentication, my password repository is far more secure than keeping a list of passwords in his pocket.
ChadTower:
--- Quote from: CheffoJeffo on September 18, 2008, 02:45:27 pm ---I think you are mistaking convenient business practice for good security practice.
--- End quote ---
Not at all. If the LAN is considered secure then it is accepted practice to consider that in the security model for a given internal application.
--- Quote ---Actually, the file *is* stored on a thumb drive ... my point was that, with proper and secure encryption and authentication, my password repository is far more secure than keeping a list of passwords in his pocket.
--- End quote ---
I don't really agree... a list of random strings of gibberish without context is pretty damn secure. Obfuscation and lack of context is powerful. You may even say it is... encrypted. Now, odds are extremely low that someone with the ability would ever find that thumb drive should he lose it. But if they did, and on a college campus those odds are much higher than elsewhere, there are cracking apps specifically designed to do this particular job. And it's a plug it in, start the process, and leave it there unattended process, which means it is certainly possible. At best the two methods are a push, IMO, unless he's dumb enough to list URLs next to the passwords on his paper.
patrickl:
Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).
ChadTower:
--- Quote from: patrickl on September 18, 2008, 03:22:15 pm ---Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).
--- End quote ---
Decades if the hacker doesn't have prior knowledge of the repository app. There are known techniques for most of them that shorten that quite a bit. Still way more trouble than it's worth and effective enough but not nearly as decades long secure as a blind brute force would need to be.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version