[PLUG] Emaill passwd and username recovery

Paul Heinlein heinlein at attbi.com
Sat Mar 8 08:23:03 UTC 2003


On 7 Mar 2003, Steven A. Adams wrote:

> Speaking from experience, I don't *fully* agree with this anymore
> Carla. Although this theory works, the use of stronger passwords
> will, in the case of most users, promote system unavailability....
>
> Moral of this rant:
> Stronger system rules, like the three strikes and your locked out
> rule, makes better sense than to force randomly generated and/or
> excessively long and cryptic passwords down the throat of the user
> community.

I really think password policies need to be appropriate to the 
situation.

* When I've worked in small private company, I typically ran John the 
  Ripper or l0phtcrack and *advised* employees that their passwords 
  are easily cracked using freely available tools.

  I worked under the assumption, however, that our network was
  relatively secure and insulated. I told employees that the biggest 
  danger to their account's security was probably other employees 
  running similar tools. I left it up to them to implement any 
  changes, but told them they'd be getting a similar notice every 
  couple months is their passwords were still easily cracked.

* Working in academia, where network users come and go at a dizzying 
  pace -- that's something different. The network is much less 
  insulated, much larger, and much more difficult to monitor.

  In our case, we run John the Ripper once a quarter and notify anyone 
  with an easily cracked password to make it more difficult *now*; 
  we check again in a few days and start disabling accounts (students) 
  or scheduling quick why-this-is-important meetings (faculty and 
  staff).

I just don't think there's a one-size-fits-all rule for password 
managment. Sometimes you can be loose, sometimes not.

--Paul Heinlein <heinlein at attbi.com>





More information about the PLUG mailing list