[PLUG] Emaill passwd and username recovery
Paul Heinlein
heinlein at attbi.com
Sat Mar 8 08:23:03 UTC 2003
On 7 Mar 2003, Steven A. Adams wrote:
> Speaking from experience, I don't *fully* agree with this anymore
> Carla. Although this theory works, the use of stronger passwords
> will, in the case of most users, promote system unavailability....
>
> Moral of this rant:
> Stronger system rules, like the three strikes and your locked out
> rule, makes better sense than to force randomly generated and/or
> excessively long and cryptic passwords down the throat of the user
> community.
I really think password policies need to be appropriate to the
situation.
* When I've worked in small private company, I typically ran John the
Ripper or l0phtcrack and *advised* employees that their passwords
are easily cracked using freely available tools.
I worked under the assumption, however, that our network was
relatively secure and insulated. I told employees that the biggest
danger to their account's security was probably other employees
running similar tools. I left it up to them to implement any
changes, but told them they'd be getting a similar notice every
couple months is their passwords were still easily cracked.
* Working in academia, where network users come and go at a dizzying
pace -- that's something different. The network is much less
insulated, much larger, and much more difficult to monitor.
In our case, we run John the Ripper once a quarter and notify anyone
with an easily cracked password to make it more difficult *now*;
we check again in a few days and start disabling accounts (students)
or scheduling quick why-this-is-important meetings (faculty and
staff).
I just don't think there's a one-size-fits-all rule for password
managment. Sometimes you can be loose, sometimes not.
--Paul Heinlein <heinlein at attbi.com>
More information about the PLUG
mailing list