Main > Everything Else
Password requirements are getting ridiculous
CheffoJeffo:
--- Quote from: ChadTower on September 18, 2008, 02:52:34 pm ---
--- Quote from: CheffoJeffo on September 18, 2008, 02:45:27 pm ---I think you are mistaking convenient business practice for good security practice.
--- End quote ---
Not at all. If the LAN is considered secure then it is accepted practice to consider that in the security model for a given internal application.
--- End quote ---
You sound like those network admins who figured that blocking port 135 at the firewall protected their networks against Blaster and woke up the following Tuesday morning to massively-infected networks.
You can't consider the LAN secure unless you can consider all equipment connected to the LAN to be secure.
Once Chuckie connects with his laptop that he used to downloaded that donkey porn last night, all bets are off. And that only considers the attack from outside.
I know that you think that I am missing your points, but I'm not.
The reason that we have terms like "accepted practice" is because "best practice" is just too damned inconvenient.
--- Quote from: ChadTower on September 18, 2008, 02:52:34 pm ---I don't really agree... a list of random strings of gibberish without context is pretty damn secure. Obfuscation and lack of context is powerful. You may even say it is... encrypted. Now, odds are extremely low that someone with the ability would ever find that thumb drive should he lose it. But if they did, and on a college campus those odds are much higher than elsewhere, there are cracking apps specifically designed to do this particular job. And it's a plug it in, start the process, and leave it there unattended process, which means it is certainly possible. At best the two methods are a push, IMO, unless he's dumb enough to list URLs next to the passwords on his paper.
--- End quote ---
How can you on one hand argue that "a list of random strings of gibberish" is "pretty damn secure", but not see that an "encrypted list of random strings of gibberish" is more secure ?
It's not a push, although the real effective difference may be negligible -- in his case, he is far (!) more likely to get picked off with a keylogger than to have somebody find his ratty piece of paper or decrypt his password repository.
ChadTower:
I'd have more comments but it's a ---smurfy--- day at work and I'm probably way too pissed off about that to keep this level. I'm out. :)
leapinlew:
--- Quote from: ChadTower on September 18, 2008, 02:52:34 pm ---I don't really agree... a list of random strings of gibberish without context is pretty damn secure. Obfuscation and lack of context is powerful. You may even say it is... encrypted.
--- End quote ---
YOU might say it's encrypted, but it's not and we aren't allowed to operate in a "pretty damn secure" environment. There are rules to secure systems. Writing down a password and sticking it to the monitor will get you fired in many environments, and it's against the law in others. You may have done some corporate security for your company, but some of us have to work within the confines of DCID 6/3, Sarbanes Oxley, Safe Harbor, or HIPAA where logic need not apply.
CheffoJeffo:
--- Quote from: leapinlew on September 18, 2008, 03:43:17 pm ---some of us have to work within the confines of DCID 6/3, Sarbanes Oxley, Safe Harbor, or HIPAA where logic need not apply.
--- End quote ---
:laugh2:
Thanks Lew -- that brought a smile to my face ... as I look forward to my impending SOX audit ... :badmood:
xar256:
--- Quote from: ChadTower on September 18, 2008, 03:40:29 pm ---
I'd have more comments but it's a ---smurfy--- day at work and I'm probably way too pissed off about that to keep this level. I'm out. :)
--- End quote ---
Somehow, I think we'll manage without you on this one. ::)
--- Quote from: patrickl on September 18, 2008, 03:22:15 pm ---Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).
--- End quote ---
That's a part of why I recommended Password Safe. It encrypts you Password Database using the Twofish encryption algorithm. Plus there is a U3 version available as well, should you want to keep everything on the key itself.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version