On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml@xxxxxxxxxxx> wrote:
> Just because one particular method of prophylaxis fails to protect against all threats doesn’t mean we should stop using it, or increase its strength.
Actually it does.There is no more obvious head butting than with
strong passwords vs usability. Strong login passwords and usability
are diametrically opposed.
The rate of brute force attack success is exceeding that of human
ability (and interest) to remember ever longer more complex passwords.
I just fired my ISP because of the asininity of setting a 180
compulsory expiration on passwords.
Now I use Google. They offer MFA opt in. And now I'm more secure than
I was with the myopic ISP.
Apple and Microsoft (and likely others) have been working to deprecate
login passwords for years - obviously they're not ready to flip the
switch over yet, it isn't an easy problem to solve, but part of why
they haven't had more urgency is because they are doing a lot of work
on peripheral defenses that obviate, to pretty good degree, the need
for strong passwords, relegating the login password to something like
"big sky theory" - it's safe enough to tolerate very weak passwords
in most use cases. The highest risk, by a lot, is from a family
member.
I'm not arguing directly against strong passwords as much as I'm
arguing against already unacceptable usability problems resulting from
stronger password policies, because it doesn't scale. Making policies
opt out let alone compulsory is unacceptable. Even as the policies
get stronger people's trust in password efficacy relating to security
continues to diminish.
--
Chris Murphy
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
