Am 08.03.2015 um 17:24 schrieb Nico Kadel-Garcia:
There's also a counterproductive effect. Passwords that are enforced, by policy, to be nonsensical gibberish tend to be written down, because no one can remember them. And because no one can remember them, they're written down in easily accessed locations. The classic storage is the Post-it note on the secretary's desk, but I see a lot of people who should know better writing them into source control systems that everyone in the company can read
correctnot so problematic in case of a policy rejecting "insecure" passwords *but* the real problem are security auditors claiming you have to disable the option to store a password in your browser for web-applications
yes, if someone can access that password store you have a problem but given you have a master-password configured the access to the whole firefox profile is pointless
if you are forced to note in somewhere it's likely a more dangerous place, if someone combines that policy with "you have to change your password every month" he is a fool with a theoretic view not aware what damage he does
as example my my passwords are 26 chars long, the generator is self written even using openssl random stuff and if some idiot forbids me to store that *impossible to remember* passwords and enforce to change them all the time he gains nothing but problems
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
