[Discuss] deadmanish login?
Grant NAPC
gmongardi at napc.com
Tue Jan 31 08:23:43 EST 2017
On 01/31/2017 07:54 AM, Kent Borg wrote:
> On 01/30/2017 08:46 PM, Dan Ritter wrote:
>> First off, you should be using ssh keys and not passwords.
>
> No, you should be using passwords not keys. (In most cases.)
>
> Protect your password, don't give it to anyone, don't recycle it on
> different sites. A good password can be easy to remember and easy to
> type. As bad as manually typed passwords are the sparkly alternatives
> are almost always worse.
I agree with Kent, although I do believe you should rotate your password
at some reasonable interval. We do enforce password rotation and a mix
of alphanumeric/symbols at my company. Password length needs to be
paramount also. I've practiced and recommended using actual sentences as
opposed to passwords
(http://blog.napc.com/password-performance-that-isn-t-a-compromise). If
your systems are limiting you to 8 characters then you really need to
update those systems because passwords probably aren't the only part of
those that are insecure. Most modern systems will support at least 32
character passwords so having any password less than 10 characters is
something I would strongly recommend against. Typing "B at con is g00d." is
really no more difficult than typing "Meg at s0nic" and extends the
likelihood of compromise from months to centuries. Mind you, a good
password is only one small part of a solution (sudo, named-accounts,
audit logs, lockout timers, etc.), but it's definitely your first-line
of defense.
Grant M.
--
Grant Mongardi
Senior Systems Engineer
NAPC
gmongardi at napc.com
http://www.napc.com/
twitter: @Grantonator
LinkedIn: http://www.linkedin.com/pub/grant-mongardi/19/34/182/
781.894.3114 phone
781.894.3997 fax
NAPC | technology matters
More information about the Discuss
mailing list