[LINK] Guidance re Passwords

Birch, Jim Jim.Birch at dhhs.tas.gov.au
Wed Jul 27 10:42:45 AEST 2011


Tom Cleary wrote:

> But I think we should acknowledge that this is, effectively, wasted
effort?

I would certainly agree with that.  Passwords (themselves) are actually
one of the strong components in the security chain.

There are the basic rules: Don't use a dumb password
(password/12345/secret/qwerty/etc), make brute force attack reasonably
difficult (don't use dictionary words, add digits, case changes, special
characters, etc) but really brute force should be history.  Any serious
password protected system should lock before all the dumb password set
has been tried, let alone any brute force list.  (OTOH a colleague in
the school system told me they had to crank up the bad password limit on
teachers' accounts to somewhat insecure levels because the kids would
trip them - not to break in, but to disrupt the class by locking their
teacher's account...)

A 16 character random password which including digits, special
characters, and case changes with one in a gazillion guess probability
is might be a good idea for file encryption but offers zero additional
protection against social engineering attacks, rootkits, keyloggers,
fake links, men-in-the-middle, server breaches, etc.  It would be much
more useful to enforce the factors that limit these attacks.

- Jim



Want to Get Healthy?

The Tasmania Government's Get Healthy Information and Coaching Service provides free information and coaching support to Tasmanian adults who would like to learn healthier eating habits, be more active or achieve and maintain a healthy weight. Call 1300 806 258 between 8am and 8pm, Monday to Friday or visit www.gethealthy.tas.gov.au for more information.

CONFIDENTIALITY NOTICE AND DISCLAIMER

The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission. If the transmission contains advice, the advice is based on instructions in relation to, and is provided to the addressee in connection with, the matter mentioned above. Responsibility is not accepted for reliance upon it by any other person or for any other purpose.




More information about the Link mailing list