-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lew Wolfgang wrote:
Linda Walsh wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers. Wow....what's this for? Sounds like it would be a royal
Jeremy Leonard wrote: pain in the posterior....
<snip>
Not only is this a PITA, it gives you less overall security. People can't memorize the passwords, so they have to write them down, and usually leave them in the vicinity of their monitor. If they don't write them down they use keyboard patterns rather than words/phrases. This makes it easier for a password cracker, just test for a fairly small subset of patterns.
The knuckleheads that come up with these requirements mean well, they just didn't do their homework. They can increase password entropy more by increasing length, rather than width. Just count the bits. Width requirements would make sense in the old-days when passwords were limited to eight characters.
Agreed, to a point. A long password that is memorable to the user is probably more effective than a short password that they cannot memorise. (Credit Card PIN numbers are a classic example of the latter). The main issue with passwords is that the major vulnerability is the people who have the passwords. I remember a survey which showed that up to a third of office workers would give their password in exchange for a bar of chocolate. I also had an acquaintance in a telecoms organisation that required that each individual piece of kit to have a unique security code, faced with having to memorise 200+ security codes the engineers put post it stickers on all the relevant kit. (As this was in highly secured buildings this was less of an issue, but if the intent was to ensure that only people with a certain clearance could access particular kit, a zoning scheme may have been more sensible). As for biometrics except for the most sophisticated (and expensive) fingerprint scanners, fingerprint scanning is easily subverted (someone lifted the fingerprint of a senior EU official and demonstrated it could be used fairly recently). Retinal scanners maybe... depending whether a serious case of red-eye for one reason or another can be handled.. Voice recognition not really on its own... In combination these would probably would be very effective (though the vision of people of people holding a laptop to their eyeball while pressing there thumbs to the mouse pad and shouting at the machine might raise a few eyebrows.... :-) ... oh hang on a minute... ) I think this is the point at which we have wondered OT a fair bit and should move the thread elsewhere ... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIM+CPasN0sSnLmgIRAgg/AKCXVj15mSmpoclQcq4XVKqpKJ3GWwCeNx+Y OCaEBu3gt7KH0/0xrhqKAjY= =CmoI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org