If everyone is using good password policies (and enforcing them), then this really wouldnt be an issue.
1)...No dictionary words!
2)...No password shorter then 14 characters
Printable View
If everyone is using good password policies (and enforcing them), then this really wouldnt be an issue.
1)...No dictionary words!
2)...No password shorter then 14 characters
In the real world..that just doesnt happen..............I have yet to find a basic end user with a 14 character password...I have been able to get better passwords...using pass phrases instead.Quote:
If everyone is using good password policies (and enforcing them), then this really wouldnt be an issue.
Rights and permissions are the other layer I use.... very limited access...to network data and services, machines etc.....no one has access to anything other then what is required for thier job function.
I also block certain files in the email client...
Also...a computer usage policy....where surfing is monitored. in and out
Security auditng on the server...and privledged workstations.
These steps have greatly improved the security of the network...more so then just a good password policy.
Security has to be layered....they may be able to jump one barrier...just to face another.
Passwords do not matter if I have physical access to the machine....if it is a network machine... data is stored on the server not on the client...
MLF
Ture most passwords are painfully simple. I like the email layout <something>@<something>.<something> makes them think of 3 diffrent things, uses @ and . It only works if they dont make it an acutall email address. like [email protected] note this isnt my real password............................i dont think. :)
"In the real world..that just doesnt happen..............I have yet to find a basic end user with a 14 character password...I have been able to get better passwords...using pass phrases instead."
Very true...However if were talking M$, there's password policy plugins that you can develop that will force users to follow password policies. Simple Point: you HAVE TO FORCE USERS TO COMPLY WITH YOUR PASSWORD POLICY. A little hacking could make it work linux as well.
Personally I do something like Ech0 was talking about:
Ture most passwords are painfully simple. I like the email layout <something>@<something>.<something> makes them think of 3 diffrent things, uses @ and . It only works if they dont make it an acutall email address. like [email protected] note this isnt my real password............................i dont think.
Use phrases (Because there easy to remember) but seperate the words with different alphanumberic characters...Example: BoW$TO$ThE$CoW
Why not just use spaces?Quote:
BoW$TO$ThE$CoW
This has been discussed before....where you make the user password so difficult......and change so often...that they write them down or resort to the method below
Quote is from a response to the article originally posted here
http://www.antionline.com/showthread...096#post871096
All I am saying....is passwords should not be your only securityQuote:
What this article does not mention is password policies that unintentionally encourage week passwords. A company that I once worked for forced user to change their passwords every 30 days with password ecpiring warnings within 15 days of expiry. Also, passwords could only be changed once in a 24 hour period and one could not reuse a password that had been used in the last 5 changes.The result was that most users created very simple passwords that included a number representing the month of the year combined with a minumum number of other characters that satified the other character requirements for passwords (upper and lower case letters). This was common so the users could remember their frequently changing password.
I believe the end result was a computer network that was far less secure as a result of the policy.
Of course the policy was never changed because it was create for the sake of having a policy, whether it made the system more secure was less important.
Mmmmooooooooooo ;)
MLF