 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
I've always prefered a token-based solution (like SecureID by RSA). This allows users to have a simple-to-remember pin along with a key randomly generated by a physical token device. You can configure most (if not all) of your security sensitive systems to use the same pin/token with the only way for non-authorized personel to gain acess being to gain physical access to the token along with the user's pin. The key to this working is to be on the ball with deactivating lost/missing/terminated tokens. It isn't perfect, no system is, but I've always felt that a dynamic system is better then a static one, no matter how convoluted and involved the static solution (complext passcodes, ect) may be. In addition, a token-based system is generaly far cheaper then deploying fingerprint id tech and the ilk. -William Baglivio --- Andrew Shore <[EMAIL PROTECTED]> wrote: > I think one issue that is being over looked here is > the networks weakest point, the users. > > I have worked for many large (in terms of user base) > companies and the biggest problem is to first > explain how to create a complex password and the > second is to get them to remember it. > > When ever I have tried to get strong passwords into > an organisation the first problem is the huge > increase in users calling the helpdesk because > they've forgotten the password, with all the > identification issues that generates. Then there is > the scrap of paper under the keyboard because the > new passwords are "too hard" > > If you work in a very secure environment you have to > use some form of strong authentication, probably a > two factor solution, but this can not be rolled out > for the masses (cost!) > > So a line has to be drawn. I don't have the answer > but I know from bitter experience the costs of tying > down general user passwords too far. > > Just my 2 cents > > Andy > > -----Original Message----- > From: Über GuidoZ [mailto:[EMAIL PROTECTED] > Sent: 11 September 2004 19:30 > To: Teo Gomez > Cc: Andrew Shore; Simon Zuckerbraun; > [EMAIL PROTECTED] > Subject: Re: Password Cracking > > While it's true that "October10,1977" is a strong > password by most > rules, I'd beg to differ that it is a good password. > Due to the ease > of social engineering, it may not be. I, for one, > will test common > dates (birthdays, anniversaries, etc) in all forms > first, when looking > for a password. (All forms means backwards, > forwards, short hand, long > hand, etc). Most people use these as passwords since > they are easy to > remember. The next step when using "trial-and-error" > method is names > of those close to them (family, loved ones, pets, > etc). You may be > surprised how easy it is simply guess a password > when you try. > > If you would like to use something easy to remember, > try at least > swapping something around, but not in a usual way. > Like make it > "Rctobeo" (swapped the O and R) or "7197" (instead > of 1977)... > something to that effect. I usually don't try those > types of swaps > until I use a brute force method. On a side note, > while it's better > then nothing, and adding a "1" to a name isn't a way > to secure it > either. =P I will try that 3rd. > > > On Fri, 10 Sep 2004 14:23:17 -0400, Teo Gomez > <[EMAIL PROTECTED]> wrote: > > Even enforcing complex passwords does not > guarantee that passwords be > > 'strong.' For example, October20,1977 is my > birthday, and is a strong > > password. Try and get users to use pass phrases > instead of passwords. > > For example, My cat's hair is blue, is a complex > pass phrase. > > > > Teo > > > > -----Original Message----- > > From: Andrew Shore > [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, September 08, 2004 4:37 AM > > To: Simon Zuckerbraun; > [EMAIL PROTECTED] > > Subject: RE: Password Cracking > > > > Depending up on the servers strong passwords can > be enforced. > > > > NT4 SP4 and Win2k AD support this as do most Linux > distributions. > > > > That way you don't need to check the passwords. > > > > -----Original Message----- > > From: Simon Zuckerbraun > [mailto:[EMAIL PROTECTED] > > Sent: 05 September 2004 04:05 > > To: [EMAIL PROTECTED] > > Subject: RE: Password Cracking > > > > If I understand correctly, LC is capable of doing > what you're asking. > > > > Simon > > > > -----Original Message----- > > From: Eoin Fleming [mailto:[EMAIL PROTECTED] > > Sent: Friday, August 27, 2004 4:44 PM > > To: [EMAIL PROTECTED] > > Subject: Password Cracking > > > > Bit of an unusual one - > > > > Lets imagine you are a security administrator at a > company - strong > > passwords are enforced but you suspect that there > may be exceptions and > > you want to raise management awareness of breaches > of the password > > policy BUT you can't run cracking software as then > you will know > > individuals passwords - which you don't want to > know as this breaks > > acountability rather nicely. > > > > In short - is there software that can perform the > function of LC and > > John without giving the admin the password but > rather rate the password > > against against a set criteria? > > > > --------------------------------------------------------------------------- > Computer Forensics Training at the InfoSec > Institute. All of our class sizes > are guaranteed to be 12 students or less to > facilitate one-on-one > interaction with one of our expert instructors. Gain > the in-demand skills of > a certified computer examiner, learn to recover > trace data left behind by > fraud, theft, and cybercrime perpetrators. Discover > the source of computer > crime and abuse so that it never happens again. > > http://www.infosecinstitute.com/courses/computer_forensics_training.html > ---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.