Creating strong passwords and keeping them secret.

[westin]

This is turning into a very interesting thread. Thanks for the good dialog guys. Metguru made some great points. I tried to give him [guessing you are a male, sorry if I am wrong] some APs, but it said I must spread them around.

I would definitely agree that passwords can be bypassed as an authentication method with various exploits, but what do you guys suggest as far as good precautionary measures. Obviously, keep your systems patched, implement layered security, kill unneeded services [decrease your attackable surface], keep an eye on your logs... etc. What other measures do you guys implement to secure your systems against the attacks discussed in this thread?

Metguru brought up sniffing unencrypted traffic, which depending on what service you are providing, includes some sort of user education. Working for a school district, I usually have a really hard time trying to educate the teachers. Their skill levels range from moderate to [no kidding] "Where is the enter key?". [Yes, that actually happened at the beginning of the school year]. I send out examples of phishing/fraudulent emails as often as I get them. I highlight the things to watch out for... but when you start telling them to make sure that their session is encrypted, their eyes glaze over. It isn't as simple as telling them to look for the little lock icon, because SSLStrip adds that as the favicon. I usually tell them to look for the https, but even that is beyond some of them. They largely rely on bookmarks, and don't really even know what a URL is. We have had several teachers lose their bookmarks, and all of a sudden they have no idea how to check their mail, get to the school website, etc. So, telling them to look at the address bar can often times put them into dummy mode.

By the way... sorry for the rant... 'Tis the season!