RE: Password creating Theories

From: Bob Kurth (Bob.Kurth_at_fcserv.com)
Date: 11/16/05

  • Next message: jalbuqueruqe_at_northkingstown.org: "WEBEX....GO TO ASSIST.....ETC" 
    Date: Wed, 16 Nov 2005 14:42:11 -0600
To: <security-basics@securityfocus.com>

    In response to the earlier email from Andrew, I went to the link and
    looked at the sample pages from the book. They were full of great
    suggestions, some of which I had not thought of previously myself. I'd
    like to see the whole book after what I read in the sample.
    The key thing for all of us to remember is that our password policies
    must be geared to the abilities of the lowest intelligence end user. It
    is hard to understand just how low that can go until you get there.
    Even if you can force a stronger password by increasing complexity
    requirements, the end user still has to be able to remember it. A
    strong password policy becomes a detriment if it causes the HelpDesk to
    be inundated with calls from end users who, because of password
    complexity requirements, can't seem to pick a really good one they can
    remember. The complexity requirements should be supplemented with a set
    of examples to spur the imagination, and I can happily say that what I
    read does just that.
    If you're in a place where you cannot move management off the dime to
    agree to stronger complexity requirements, you can't improve the
    security posture of the organization. End users can rise to the
    occasion IF they have the tools....in this case a series of demonstrable
    methods. I tend to shy away from password generators because, even
    though they follow the rule set, their results are not often logical or
    rememberable (is that a real word?) for the end user.
    This has been a good thread with good ideas.

    Robert Kurth, CISSP

    -----Original Message-----
    From: Andrew Williams [mailto:Andrew@Syngress.com]
    Sent: Tuesday, November 15, 2005 3:35 PM
    To: Saqib Ali
    Cc: Jennifer Fountain; security-basics@securityfocus.com
    Subject: RE: Password creating Theories

    When I first started discussing the book with the author (Mark Burnett),
    I thought a whole book on the topic seemed a bit much as well. But, the
    more I saw of Mark's manuscript, the more intrigued/interested I became
    in the idea.

    The book is relatively short, 200 pages total. So, we realized this
    couldn't be a door stop. The book is for both sys admins/infosec pros as
    well as users. One of the book's primary goals is to provide admins w/
    strategies and polices they can convey to their users so that users will
    consistently create strong passwords that they can actually remember as
    well.

    It is also kind of a fun read with interesting facts, stats, etc.; like
    the 500 worst passwords of all time, etc.

    Best,
    A

    > -----Original Message-----
    > From: Saqib Ali [mailto:docbook.xml@gmail.com]
    > Sent: Tuesday, November 15, 2005 4:18 PM
    > To: Andrew Williams
    > Cc: Jennifer Fountain; security-basics@securityfocus.com
    > Subject: Re: Password creating Theories
    >
    > having a whole book dedicated to Password building seems an
    > overkill....
    >
    > who will be the target audience?
    >
    > On 11/15/05, Andrew Williams <Andrew@syngress.com> wrote:
    > > We're actually about to publish a book on ideas/strategies for
    > > building passwords and password policies. We have a sample chapter
    > > available on
    >
    > In Peace,
    > Saqib Ali
    > http://www.xml-dev.com/blog/
    > Consensus is good, but informed dictatorship is better.
    >

  • Next message: jalbuqueruqe_at_northkingstown.org: "WEBEX....GO TO ASSIST.....ETC"