SoylentNews is people
SoylentNews
from the back-to-the-postit-under-the-keyboard dept.
An Ars Technica article entitled "Pavlovian password management" aims to change sloppy habits. Policy would reward or penalize people based on the passwords they pick.
For more than a decade, the virtues of strong passwords have been lost on most end users, despite frequent sermons from security experts and IT administrators over their importance in locking down accounts. Now, a consultant is proposing a system that provides rewards or penalties based on the passcode choices people make. For instance, a user who picks test123@# might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen t3st123@##$x , the system wouldn't require a change for three months.
(Score: 2, Interesting) by genkernel on Tuesday May 06 2014, @12:57AM
First of all, I hate security questions, they are just extra passwords that can be guessed by my friends. I really wish that my phone number, social security number, and date of birth wasn't treated as some sort of secret key, because it isn't one very important thing: secret.
The users need to be able to secure their computers, that means either authentication with some physical token, or it means decent passwords, and IT has every right to blame the user when their passwords are as clever as "7777777". Similarly, regular changes *do* help security. At very, very least when users have to pick 8 passwords, at least they will start incrementing the last number in their block of 7s and break out of the top 100 most common list.
That said, there are some terrible rules that some IT administrations can create that do negatively impact on password security, and there is definitely no simple and nice way to force password quality to be anything better than abysmal. However, forcing changes (at reasonable intervals) and imposing restrictions on password content (ie. must be at least six characters) are not fundamentally wrong on any level.
(Score: 2) by frojack on Tuesday May 06 2014, @01:16AM
Security questions need not be guessable by your friends, that was simple a trivial example.
Second, they aren't supposed to be common knowledge. Exactly how many people are going to know the name of your kid sister's imaginary friend from when she was 7?
Then, I never said that regular changed don't help, I said they were counter-productive. They Help IT look like they are being secure and proactive, while they force the users to write things down. The system as a whole is less secure, but gee, those IT boys are serious about security.
And finally, you throw in the red herring about Seven 7's, when just about any password system will not let you get by with that. But put one letter anywhere in that string and its strength goes up by a huge factor.
No, you are mistaken. I've always had this sig.