I guess I came too late to the party. I read "Off The Grid" and wondered how long it would be before really well-informed people poked holes in the whole idea. To me, it looks like it'll do a better job of creating passwords than most of the user population (who might find it to be too complicated). The rest will have to be handled by the system administrator with a defense strategy that consists of a mile-wide moat filled with alligators, rocks and burning faeces. Intruders tend to shy away from that level of stinkiness. Now that I have contributed, I can go back to reading about Single Packet Authorization (SPA).<div>
<div><br><br><div class="gmail_quote">On Sun, Sep 4, 2011 at 8:56 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Sun, 2011-09-04 at 19:49 -0500, Pat Regan wrote:<br>
> On Sat, 03 Sep 2011 20:06:56 -0400<br>
> "Michael H. Warfield" <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br>
><br>
> > The forced changes provide no benefit and yet add that little tiny<br>
> > extra opportunity of additional threat. And, yes, there are password<br>
> > sniffers that will fire on password changes so they follow your<br>
> > changes as you make them. Factor it in how you will.<br>
<br>
> A company I used to work for about a decade ago had a 60 or 90 day<br>
> schedule on their forced password changes. The requirements for the<br>
> passwords weren't very strict, either.<br>
<br>
> Most of the customer service people ended up teaching each other the<br>
> same password scheme of current month+year (jan99, for example). Since<br>
> those passwords were good for 60 or 90 days, you could walk out on that<br>
> call center floor and guess almost anyone's password in 2 or 3 tries.<br>
<br>
</div>In my talks on this, I try to dance around it a little bit without being<br>
as blatant as that, but you are absolutely correct. Forced expiration<br>
and password changes invariably force most users into predictable<br>
patterns which are of no benefit and often just the opposite.<br>
<br>
The other effect, when password strength/complexity checkers are not<br>
enforced, is the "jumping in front of the bus effect". Small but real,<br>
it's the case where a user is forced to change his password and he<br>
changes it to one that the attackers are using to guess... Powned...<br>
<br>
> Pat<br>
<div><div></div><div class="h5"><br>
Regards,<br>
Mike<br>
--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
</div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br></div></div>