[clug] Re: linux Digest, Vol 78, Issue 53
Daniel Pittman
daniel at rimspace.net
Sat Jun 20 06:30:26 GMT 2009
Paul Matthews <plm at netspace.net.au> writes:
>>>> Heck, recently a group of very, very technical people I was around had a
>>>> discussion about a password system that required a password change every
>>>> week, no reuse for 128 passwords[1], minimum length above 20 characters,
>>>> characters from all the standard classes[2], no dictionary words, and no
>>>> more than three characters in sequence from any one class.
>>>>
>>>> Which was *still* vulnerable to a fairly trivial "rotate the number"
>>>> guessable sequence of passwords, and which still left plenty of other
>>>> risks.
>>>
>>> I'd have to hunt a bit to re-dig it up. But some researchers in the UK
>>> did a study on password lengths/time to change them and so on. Was a few
>>> years ago now. ~ 2000-2005 time frame.
>
> The password restrictions above are simply ludicrous.
Yes, they are indeed. My point was, in fact, that despite the ludicrous
lengths the ... people responsible[1] for this went to, they still missed a
bunch of common "use the same password again and again" paths.
Regards,
Daniel
Footnotes:
[1] I should perhaps clarify that the folks I know were the victims ^W end
users in this case, not the architects of these schemes. Those same
architects also specified that all computers in the office must connect
through a Cisco VoIP phone, so now the server room has a pile of Cisco
phones sitting next to the patch panel. (No, stop laughing, this is
real. ;)
More information about the linux
mailing list