Re: Good passwords and security priorities

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 04/26/05

  • Next message: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile" 
    Date: Mon, 25 Apr 2005 16:37:11 -0600

    "sinister" <sinister@nospam.invalid> writes:
    > I have the impression that in many situations, simple but critical
    > security protection measures are overlooked, even though complicated
    > but less vital measures are implemented.
    >
    > Isn't it true that a policy enforcing good passwords is critical,
    > and a set of security policies that overlooks that is flawed?

    one big issue is that when using shared-secrets ... the policy
    requires a unique password/pin for every distinct security domain
    (i.e. you don't want the password for online banking, connecting to
    your neighborhood isp, and your employee shared secret to all be the
    same). the proliferation of unique electronic security domains
    sometimes results in a single person required to have scores of unique
    passwords.

    many time, a security officer for a specific security domain will
    totally ignore the human factors issues involved when a person is
    required to memorize scores of complex, hard to guess passwords that
    possibly change once a month. a myopic security policy that operates
    as if it is the only security domain ... and is specifying the only
    password that a person is required to memorize ... is overlooking
    real-world reality and human factors. people have hard enuf time
    memorizing a complex password that is changing monthly ... but it
    becomes impossible when a person is faced with scores of such
    situations.

    misc. past postings on shared-secrets
    http://www.garlic.com/~lynn/subpubkey.html#secrets

    a couple past postings on a specific password policy recommendation
    http://www.garlic.com/~lynn/2001d.html#52 OT Re: A beautiful morning in AFM.
    http://www.garlic.com/~lynn/2001d.html#51 OT Re: A beautiful morning in AFM. 

    -- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
  • Next message: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"

    Relevant Pages

    • Re: Good passwords and security priorities
      ... >> security protection measures are overlooked, ... >> Isn't it true that a policy enforcing good passwords is critical, ... >> and a set of security policies that overlooks that is flawed? ... > requires a unique password/pin for every distinct security domain ...
      (comp.security.unix)
    • Fwd: Oh Dear, Where to start?!
      ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
      (Security-Basics)
    • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
      ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
      (Firewall-Wizards)
    • RE: Cant set Local Security policies. They fail to save
      ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
      (microsoft.public.windows.server.sbs)
    • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
      ... The report you cite is CheckPoint originated and deals with older NetScreen ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ...
      (Firewall-Wizards)