[Discuss] deadmanish login?

[gmongardi at napc.com (Grant NAPC)]

On 01/31/2017 08:48 AM, Kent Borg wrote:
> On 01/31/2017 08:23 AM, Grant NAPC wrote:
>> I agree with Kent, although I do believe you should rotate your
>> password at some reasonable interval. We do enforce password rotation
>> and a mix of alphanumeric/symbols at my company.
>
> Here is an idea: Don't let users set their own passwords. That way you
> can be sure you aren't being fed that user's Ashley Madison or Yahoo
> password. This won't prevent password reuse in the other direction,
> unfortunately.
>
> "15-ladder-bamboo-sierra" is an easy password to remember and type, yet
> it has 40-bits of entropy. Even if some bizarrely configured sshd
> allowed 1000-attempts per second (which they don't) it would still take
> over 18-years to try half the combinations.
>
> 02-alex-smile-metro, 5b-mile-sleep-school, ea-mercy-copy-pizza...

I think it's better to train them how to create those passwords on their 
own and then require them to change them so that should they reuse them 
elsewhere then they are only a concern for 90 days or whatever. Creating 
a non-rotating password that they then use on Yahoo!, Instagram, etc, 
because they can remember it and "you told me it was secure!" doesn't 
make me feel all that comfortable. The fact remains if they then click a 
link in some phishing email and type that password into 
fake-Facebook.com then that password you told them was secure is 
everything but that. It may be that we're talking about 2 different 
classes of people here but I believe the risk is similar.

Grant M.
-- 
Grant Mongardi
Senior Systems Engineer
NAPC

gmongardi at napc.com
http://www.napc.com/
twitter: @Grantonator
LinkedIn: http://www.linkedin.com/pub/grant-mongardi/19/34/182/
781.894.3114 phone
781.894.3997 fax

NAPC | technology matters