itPro, please forgive me as it is almost 40 years since I studied this stuff at university.
Your first comment would depend on whether the selection was "with replacement" or not wouldn't it. You know, a bit like a lottery?
I was reading back over the thread just in case I missed anything, and I noticed something. If something is truly random, then it is not guaranteed to be unique. As well as any programmer knows "random", it is following a pattern
Yes "random" follows a pattern, and I suppose that there is the possibility of "collisions", depending on the quality of the algorithm used.
I don't think so, because the date and time are the same for everyone in the same time zone at any given point in time? That is why I suggested combining you two methods to ensure uniqueness.
That is actually why using a date/time stamp is better, since it will ALWAYS be unique
Quite! why make it easy for them? Also you musn't forget the potential for "the enemy within", employees have some sort of access and they can get in through the door (past the primary physical security)?
The security factor is meant to be preventative, so why wouldn't you implement these security features before an attacker does gain access?
Hey, I have worked in the finance and defence sectors most of my life and for outfits with maybe 250,000 employees or more.
As you said, it will not, if you enforce unique usernames, but that might prove harder to do in a larger company, and certainly more of a pain for the users themselves.
1. It is ridiculously easy........... hell, I could do it on a PI with Win 3.11 and Office 4.3 I know, because I have ;)
2. Why is it a pain?.............. like you chose your own name when you were born? Hell, when you join a big outfit you are given an employee number........... you need it to claim your expenses............never met any bastard who forgot it yet :D
I started work in late '72 and to this very day I have never heard of anyone forgetting their user ID............ passwords....... yeah loads of times, but user ID? never!
I also agree with Negative when he says:
That is very true, and I commented earlier in this thread that if an attacker had access to the hash they would probably have access to much more. It sort of depends on whether you are looking at a local or remote attack?
If the attacker does not have access to the hash, the scheme does not add security.
To support Neg~, all my home PCs that need a password have it taped to the top.................. If someone accesses that, they have broken into my home? (I trust my wife and cats :D)
Most of them are x86, PI, PII, PIII, P4, Athlon XP boxes that I was given or purchased for minimal amounts, so I don't think that they are really worth stealing............... actually, three of them were even delivered to my house by the refuse disposal guys (trash throwers). I am old and poor so the guys deliver as well as collect :lildevil:
The point is, that I never keep any confidential information on them. It may be private, but not confidential. Anyway, most are just experimental boxes that I re-image, so only the CD is something to secure?
itPro, I think that we need to look at what I will loosely describe as the "security cycle"?
1. Risk Analysis
2. Security Model
3. User Authorisation Policy
4. Identification of Processes and Procedures Required
5. Implementation and Enforcement of Determined Model & Policy using defined processes and supporting procedures
For that, I think that we need to bring in the "environment" variable?