Yes, my comment was too brief and lacked context. I should have made clear that I was only speaking to the relative states of insider vs. outsider threat.
My bad. Kurt On Thu, Mar 15, 2012 at 21:35, Steven M. Caesare <scaes...@caesare.com> wrote: > > Given your almost complete lack of context with your link, it’s hard to > tell _WHAT_ you were suggesting… other than disagreeing with Doug’s > assessment, which was speaking to…. (ta-da!).. passwords on sticky notes. > > > > -sc > > > > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Friday, March 16, 2012 12:13 AM > > > To: NT System Admin Issues > Subject: Re: Worth some consideration... > > > > Don't be obtuse. I made no recommendation with my statement. > > If you're looking for options, I recommend fully formed but easy to type > sentences of at least 20 characters. If they must be written down, advise > your clients to keep them in their wallets. > > Kurt > > On Thu, Mar 15, 2012 at 16:51, Mack Bolan <mack.bola...@gmail.com> wrote: > > So that makes sticky notes ok? > > Mack S. Bolan > > > On Thu, Mar 15, 2012 at 5:43 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > > Perhaps you might want to rethink your threat model: > > http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232601717/new-verizon-breach-data-shows-outside-threat-dominated-2011.html > > On Thu, Mar 15, 2012 at 13:50, Doug Hampshire <dhampsh...@gmail.com> > wrote: > > Are you sure about that? The vast majority of security incidents happen on > the inside of your network from known individuals. Also it was addressing > offline brute force attacks. Most online systems have lockout policies and > other countermeasures to limit exposure to brute force attacks. > > > > On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott <crawfo...@evangel.edu> > wrote: > > I'd rather have "good" passwords written down on a sticky note accessible > only to a limited number of coworkers than "bad" passwords that can be > exploited by any black-hat on the internet. > > Sent from my Windows Phone > > ________________________________ > > From: Heaton, Joseph@DFG > Sent: 3/15/2012 11:07 AM > To: NT System Admin Issues > Subject: RE: Worth some consideration... > > > > Wait… I’m NOT supposed to write my password on a sticky note? How am I > supposed to let my coworker use my login, then? > > > > Joe Heaton > > ITB – Windows Server Support > > > > From: Andrew S. Baker [mailto:asbz...@gmail.com] > Sent: Thursday, March 15, 2012 7:49 AM > To: Heaton, Joseph@DFG; NT System Admin Issues > Subject: Re: Worth some consideration... > > > > That's an implementation problem. > > > > If I choose a passphrase of "Mary had a little lamb" then of course that > will be relatively weak as passphrases go. That that is not an inherent > weakness of passphrases, but of people. > > > > Lots of things are undermined by poor choices. Completely random 20 > character passwords with a unicode character set are undermined by having > them posted on sticky notes. > > > > We didn't need a whole article to point that out. > > > > ASB > > http://XeeMe.com/AndrewBaker > > Harnessing the Advantages of Technology for the SMB market… > > > > On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > > > http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars > > By Dan Goodin > Ars Technica > March 14, 2012 > > Passwords that contain multiple words aren't as resistant as some > researchers expected to certain types of cracking attacks, mainly > because users frequently pick phrases that occur regularly in everyday > speech, a recently published paper concludes. > > Security managers have long regarded passphrases as an > easy-to-remember way to pack dozens of characters into the string that > must be entered to access online accounts or to unlock private > encryption keys. The more characters, the thinking goes, the harder it > is for attackers to guess or otherwise crack the code, since there are > orders of magnitude more possible combinations. > > But a pair of computer scientists from Cambridge University has found > that a significant percentage of passphrases used in a real-world > scenario were easy to guess. Using a dictionary containing 20,656 > phrases of movie titles, sports team names, and other proper nouns, > they were able to find about 8,000 passphrases chosen by users of > Amazon's now-defunct PayPhrase system. That's an estimated 1.13 > percent of the available accounts. The promise of passphrases' > increased entropy, it seems, was undone by many users' tendency to > pick phrases that are staples of the everyday lexicon. > > "Our results suggest that users aren't able to choose phrases made of > completely random words, but are influenced by the probability of a > phrase occurring in natural language," researchers Joseph Bonneau and > Ekaterina Shutova wrote in the paper (PDF), which is titled > "Linguistic properties of multi-word passphrases." "Examining the > surprisingly weak distribution of phrases in natural language, we can > conclude that even 4-word phrases probably provide less than 30 bits > of security which is insufficient against offline attack," the paper > says. > > [...] > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin