john_matt...@ea.epson.com (John Mattson) writes: > Back to basics: My pet peeve(s) (serious security concerns) are: > 1) sites which do not allow use of the full set of special characters. My > banks, Google and Facebook do, so it is not that hard. The more > posibilities for each character, the more secure the password. > 2) sites which limit length of userid and/or password. That's just plain > dumb.
re: http://www.garlic.com/~lynn/2012j.html#47 Yahoo Password Breach: 7 Lessons Learned - Security - Attacks/breaches - Informationweek http://www.garlic.com/~lynn/2012j.html#53 Yahoo Password Breach: 7 Lessons Learned - Security - Attacks/breaches - Informationweek somebody in POK sent me a copy of Corporate Directive on Passwords late Friday and I redistributed. Over the weekend, somebody printed on 6670 (ibm copier3 with computer interface) on corporate letterhead paper on placed it in all the building corporate bulletin boards. Monday morning numerous people were caught ... even tho the date is clearly sunday and no "real" corporate directives are dated sunday. Corporate password rules from long ago and far away http://www.garlic.com/~lynn/2001d.html#52 OT Re: A beautiful morning in AFM. http://www.garlic.com/~lynn/2001d.html#53 April Fools Day static, shared secrets were somewhat acceptable for authentication 40yrs ago when a person only had a few. corporate rules were put in place to create impossible to guess (therefor impossible to remember) shared secrets for authentication (with frequent changes) ... as if it was the only authentication the person has to deal with. With the proliferation of static, shared secrets paradigm as authentication mechanism (pins, passwords, etc) ... it isn't uncommon for an individual to have large scores or hundreds (of impossible to remember values). Furthermore, "safe" security practices require a unique shared secret for every unique security domain (as countermeasure to cross-domain attacks). misc. past posts discussing static shared-secret authentication http://www.garlic.com/~lynn/subintegrity.html#secrets misc. past posts discussing internet/network based authentication using non-static data (countermeasure to harvesting and reply attacks) for kerberos http://www.garlic.com/~lynn/subpubkey.html#kerberos similar discussions for radius http://www.garlic.com/~lynn/subpubkey.html#radius ... aka simple registration of public key in lieu of password ... w/o the enormous complexity and points of failure introduced by digital certificates and PKIs ... misc. past posts discussing non-certificate based public key authentication http://www.garlic.com/~lynn/subpubkey.html#certless -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN