Re: Reasons and examples for security
From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 12/14/04
- Next message: bob: "Re: LCS requires a certificate that has a key"
- Previous message: Bob Christian: "Re: LCS requires a certificate that has a key"
- In reply to: Roger Abell: "Re: Reasons and examples for security"
- Next in thread: Roger Abell: "Re: Reasons and examples for security"
- Reply: Roger Abell: "Re: Reasons and examples for security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Dec 2004 14:49:15 -0800
> Teach them to use passphrases "The 4 BroWn CoWs jump!'
Pass phrases do not need complexity. The benefits of passphrases are:
* length -- defeating cracking programs
* easy to type -- defeating shoulder-surfing
* simple to remember -- defeating sticky-pads
A phrase like "the four brown cows jump" will take on the order of hundreds
of centuries to crack and is much quicker to type and easier to remember
than "The 4 BroWn CoWs jump!" with all the latter's non-standard
capitalization and punctuation.
If we're going to try to effect wholesale change here and get people to
agree that long passphrases are the future, adding complexity will create
resistance. Why do that when it's unnecessary, security-wise?
Steve Riley
steriley@microsoft.com
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OWwkyyY4EHA.3472@TK2MSFTNGP09.phx.gbl...
> Changing passwords on a timed schedule intends to do
> a couple of things (at least): make the password different
> before a process that is trying to crack it has had sufficient
> time (statistically) to have done so; to limit unauthorized
> accesses that may be happening due to "handed out" and/or
> otherwise compromised passwords by invalidating them.
>
> For the first of these to be meaningful now-a-days, the
> balance between password size (and strength) and the
> change interval needs to be set reasonably - but of these
> the two factors which Windows can leverage without any
> third-party software is password aging and length.
>
> Teach them to use passphrases "The 4 BroWn CoWs jump!'
> and set the length high, IMO not less that a dozen. Set the
> aging so they cannot reuse passwords, and the frequency to
> what the users will bear, maybe 60 days if you can.
>
> Windows is not Unix. An account is in very many groups.
> These groups are used to control access to data which may
> be of different degrees of import/sensitivity and shared
> by different sets of people. This is something that is not
> at first well appreciated by folks coming from Unix, where
> an account being compromised imperils the data of that
> account and of its group.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "roshak31" <Roshak31@news.postalias> wrote in message
> news:71471564-180B-43B4-944A-B8FA41EB7E34@microsoft.com...
>> I am looking for examples to support my case for tighter security. I am
>> looking in the area of having to renew passwords at set time period which
> is
>> not currently being done. I am also looking to find any supporting
> arguments
>> for not having all home folders of everyone on the network available to
>> everyone else on the network.
>>
>> Any stories and or arguments that would help my case for stronger
>> security
>> would be appreciated.
>>
>> Thanks,
>
>
- Next message: bob: "Re: LCS requires a certificate that has a key"
- Previous message: Bob Christian: "Re: LCS requires a certificate that has a key"
- In reply to: Roger Abell: "Re: Reasons and examples for security"
- Next in thread: Roger Abell: "Re: Reasons and examples for security"
- Reply: Roger Abell: "Re: Reasons and examples for security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
