October 18th, 2005, 09:35 PM
Yep, "Passwords should be protected in a manner that is consistent with the damage that could be caused by their compromise." So I guess they could start jotting them down on memo pads.
It's smart to avoid needless exposure of users' passwords, and in this case I think you're needlessly exposing them. Most of all you're needlessly generating complexity, thus lowering assurances. What type of access control mechanisms in this program are used to protect the "Password Strength Programs data base" from unauthorized modification and disclosure?
If your goal is to educate, launch a "Security Awareness" treatise and have them signed. "To assure security awareness among the user population, it is recommended that each user be required to sign a statement to acknowledge understanding these responsibilities."
If a particular users password is not meeting your standards....well.... in a mature environment the SSO would've swiftly taken care of that. Just use the "password lifetime" method. A maximum lifetime of any passwords can be forced through the systems policies.
Consult the TFM to have a better understanding of how a secure facility should be run on many points.
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
October 18th, 2005, 11:48 PM
One more thing, a mature security focused environment wouldn't have given you the time to sit around and come up with ideas like this to "perfect your network". With an advanced CCMS you would've taken part in a role rotation by now. Wow it just hit me like a ton of bricks, I wholly understand exactly why these concepts are used in mature environments. It's all making sense.
October 31st, 2005, 06:19 AM
There is a password generator which shows the quality (in bits) of your password in KeePass Password Safe which runs in windows.
\"Luck is what happens when preparation meets opportunity.\"
(Roman philosopher, mid-1st century AD)
October 31st, 2005, 01:51 PM
In that case your issue is more one of password SECURITY than of password STRENGTH
welll this would be a strictly internal website, no access to internet on the computers they are using anyways.
If you enforce a STRONG password policy you will stand a good chance of defeating its object because people will write them down, making them INSECURE
It is all a question of balance, and determining a policy commensurate with the degree of risk/exposure.
Also remember that in a "closed" environment people can be very trusting and easily socially engineered. You should not ignore that aspect.
If you are employing a shower of skiddies and wannabe hackers, you have an HR problem.
Just make sure that your policies only give individuals the authority and access to that which they NEED to perform their legitimate functions.
October 31st, 2005, 04:32 PM
/somewhat off topic, hence the double post:
Well Rusty~ that raises a few interesting side issues does it not?
Isn't the SSO the only person who should know the password besides the user?
My answer would be that no-one other than the User should know the user password. I am proposing that from a sort of "legal consequences" viewpoint. If the SSO can see everyone's password, then he can impersonate them......................now, you would not win a case over here with a weakness like that..............sure, the SSO (and admins) can change or reset a user password and they will have appropriate authority over the system to do their jobs, but they should not be able to read a user password and thereby impersonate them?
I am citing the concept of "reasonable doubt" here. Juries are pretty easy to read on this one.........the more complex, conspiratorial and criminal the possible frame-up, the less reasonable the doubt.
Also there is the psychological thing?.................if the workers think that the Admins can see their passwords, they will not buy into any sort of password security policy, and with considerable justification IMO.
I got caught with that once, when explaining why I did not know a user's password. I said "Would you give me your credit card and PIN?"...............a lady handed her CC to me and said "sure Johnno, there's no credit left but you are welcome to pay off the outstanding balance"
You can't win them all?............but the odd one now and then would be nice?
October 31st, 2005, 04:41 PM
I like Google's password strength program cause it is more intelligent. I was checking it out and I noticed little things like if you choose a password like "lordofthering" your password strength is excellent but as soon as you make it "lordoftherings", your password strength drops down to weak.
I haven't experimented with the MS version yet but I'm not expecting much from it. Anybody tried playing around with that one?
October 31st, 2005, 04:49 PM
Your example shows that an exact match against a dictionary scan is required.
That is no confidence regarding brute force attacks.
Then there is "fuzzy logic", which, if combined with a dictionary attack, could make them very much more effective.