[LINK] Guidance re Passwords
Roger Clarke
Roger.Clarke at xamax.com.au
Wed Jul 27 11:44:26 AEST 2011
At 10:42 +1000 27/7/11, Birch, Jim wrote:
>(OTOH a colleague in
>the school system told me they had to crank up the bad password limit on
>teachers' accounts to somewhat insecure levels because the kids would
>trip them - not to break in, but to disrupt the class by locking their
>teacher's account...)
Damn, I overlooked DoS by account-lockout. Nice one.
I stuck to the very simple concept of 'practicality', and the only
trade-off I really mentioned was strength vs. rememberability. I can
include this as another factor that needs to be reflected /
traded-off.
>A 16 character random password which including digits, special
>characters, and case changes with one in a gazillion guess probability
>is might be a good idea for file encryption but offers zero additional
>protection against social engineering attacks, rootkits, keyloggers,
>fake links, men-in-the-middle, server breaches, etc. It would be much
>more useful to enforce the factors that limit these attacks.
Also nice, thanks Jim.
I had to dumb down the security theory (e.g. I intentionally
conflated threats and vulnerabilities into 'risks' - which a purist
will hate).
It's not easy to include a detailed mapping of safeguards against
'risks', without making it too complex for the target readership.
But hopefully I can find a way to encourage the more capable readers
to twig to those kinds of issues.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list