On 2/15/2007 7:59 PM, Don Leahy wrote:
It is pretty obvious that weak passwords greatly increase the likelihood
that a brute force attack will work.
However, since most (all?) systems revoke userids after a very small
number of unsuccessful password attempts, the issue of strong vs weak
passwords is totally irrelevant to your end users, so why burden them
with strict password policies? Even a weak password will stand up to a
brute force attack if the userid is revoked after 3 failures.
Protecting the password data base from theft is the security
administrator's job, not the end user's. It doesn't matter how strong
the safe or how complex the combination, if the thief can tuck it under
his arm and take it home with him to work on at his leisure.
Good points. Note, however, that there's a difference between requiring
mixed-case passwords and having overly strict password rules. A rule
requiring 8-character passwords, with at least one upper case alpha, one
lower case alpha, and one numeric is not overly strict, and can be met
easily by the users.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
