Kurt said that piece - I was trying to summarise the overall content of the thread to date - I wasn't trying to state you said everything. Specifically I wrote: I'm stating that the contentions being put forward by others...
To be honest, enterprise environments have lots of limitations and workarounds that you don't understand until you work in one. It can be really hard to implement what otherwise looks to be really simple or reasonable. And change works at a completely different pace. For example core banking systems are a once-in-a-generation change. CBA recently completed one - I believe the cost was around half a billion dollars, and took four years. That type of investment is going to be around for many years (probably decades) to come, unless the bank merges or similar. So, thinking back to the thread earlier about hotel door locks, and the requirements of designing systems or products today, for the requirements of 10 years from now - it's really difficult. Or really expensive. How long have >15 character passwords been in vogue? 3-4 years? When you're talking about investment on a decade+ scale, then sometimes it take a while for everything to catch up. So, that's why banks have lots of other systems to detect fraud, break ins, parallel authentication systems. As I asked before: if there was a 3 attempt lockout, then your money's probably safe. You might get locked out by a DOS, but it's unlikely that an attacker can get through even a 4 or 6 character key space with that type of setting in place. And to think: most debit and credit cards only have 4 character PINS - a much smaller key space. Do all your cards have smart cards embedded? If not, why aren't you worried about that more? Cheers Ken From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, 16 August 2012 1:19 PM To: NT System Admin Issues Subject: Re: For your reading pleasure I didn't call them idiots, even though you quoted that. Someone else may have, but you were responding to me. I find the patchwork method of securing bank systems to be poorly thought out and far too limiting to me as an end user. I want and like having my password be of some size in excess of 15 characters, using numbers and special characters as I would like. Is that such an unreasonable request? On Wednesday, August 15, 2012, Ken Schaefer wrote: I thought this was a serious conversation. But apparently it's not. Maybe it's time to go back to being indignant and carrying around pitchforks. Cheers Ken From: Jonathan Link [mailto:jonathan.l...@gmail.com<javascript:_e(%7b%7d,%20'cvml',%20'jonathan.l...@gmail.com');>] Sent: Wednesday, 15 August 2012 11:46 PM To: NT System Admin Issues Subject: Re: For your reading pleasure Because I'm an idiot. On Wed, Aug 15, 2012 at 9:22 AM, Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: I'm not saying that "banks are secure" I'm stating that the contentions being put forward by others are not supported by evidence we have before us. Namely "my bank has password requirements less than what I have at work - they allow only 8 characters and don't allow Unicode. Therefore they are insecure and the people working on them are idiots". The latter conclusion is not supported by the prior statement - for reasons I am giving. But I am not stating that banks are secure. Also, why do you think "admin" accounts only have 8 character passwords? Or that these are even exposed to external access? Cheers Ken From: Jonathan Link [mailto:jonathan.l...@gmail.com]<mailto:[mailto:jonathan.l...@gmail.com]> Sent: Wednesday, 15 August 2012 11:06 PM To: NT System Admin Issues Subject: Re: For your reading pleasure Passwords are a part of security for everyone. It is likely that administrative access to that customer system is also limited to an 8 character password. So as a hacker, I don't go after an individual customer account, I go after the admin account. Woo hoo, I can now reset passwords on all the accounts for some period of time. In any event, the argument you present against forcing complex passwords also stands true for frequent password changes which is a technique banks also employ. Just because a bank has a measured and layered approach to security in other areas and they ignore the customer part of it (including education) doesn't mean that they are "secure." On Wed, Aug 15, 2012 at 8:46 AM, Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: Personal customer passwords for online banking are only a very small part of the security systems a bank has. Just because passwords aren't as complex as you would like, it doesn't follow that banks are not secure. Additionally, forcing overly complex passwords can also, sometimes, decrease security because people forget them more often, or write them down insecurely, or similar stuff. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<javascript:_e(%7b%7d,%20'cvml',%20'listmana...@lyris.sunbeltsoftware.com');> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
