On Fri, 2013-12-20 at 03:46 +1030, Tim wrote: > Allegedly, on or about 18 December 2013, Rick Stevens sent: > > 3. Make sure you enforce complex passwords and require them to be > > rotated at least every 90 days. > > I take issue with the continually changing passwords idea. I agree with you on this one. There was a white paper I read (wish I still had the link to it) where they demonstrated that some security measures are actually more expensive than dealing with a break-in. The basic theory was a small-to-medium cost, when incurred by thousands of users, is higher than the high cost of dealing with the average compromise. I think changing passwords is up there on that list. It's a huge hassle (we're required to do this at work), and several thousand users have to go through it every six months. I don't think that is a good use of security resources. But the security people will argue that bad guys can get a hold of a password and not use it for months, which increases their odds of evading detection. Or they get encrypted passwords and decrypt them offline, using computing resources they've stolen from others (PC's in botnets, etc.). So it may take a long time to guess your 15-character password this way, but they've got forever if you never change your password. So it's hard to come up with numbers to back up my belief. That said, I also think it is very risky to use the same password at multiple locations, even if it is an easy-to-remember but hard-to-guess password. The reason is that if any one of those locations is compromised, the bad guys now have access to your accounts at all these other places that have *not* been hacked. It is very important to use different passwords at every place you do business. Yes, that means you have to "write them down", so you write them down in a secure way, by using a password safe (I like Keepassx on Linux, it's packaged in Fedora, and there are versions of Keepass for Windows, MacOS, Android and iOS as well). The safe is strongly encrypted, so you can store it on insecure but easy-to-access locations like Dropbox (even so, I do not keep my banking password in Keepass/Dropbox, that is one of the very few that is stored nowhere but in my head). This allows me to use a password like "K8_jBh6ewq,5" (no, silly people, that is NOT any of my actual passwords :-) Then there is one critical password that you have to memorize, which is the one to open the Keepass safe. My wife and I store our Keepass passwords in each other's safe, to guard against somehow forgetting it. That password is never used except on our own personal machines (I would argue that if someone has compromised your personal machine, the game is already over; there are many ways they can use that to get access to your accounts). > You really need something that detects attempt to crack passwords Very few passwords are actually cracked by brute force on your machine. They are almost always obtained by compromising a server where (hopefully encrypted) passwords are stored, and then brute force cracking them offline, where you could not detect the attempt. Or just use the access to the server to capture the passwords used on that server (also undetectable by the end user). Another common attack lately is to use stolen certs to run a man-in-the-middle against https sessions (the security of many of the certificate authorities is atrocious, there have been many well-publicized compromises). So if you're like me and access hundreds of password-protected web sites, you want to use a different password for every one of them. --Greg -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
