On 2012-07-25 mouss wrote: > Le 24/07/2012 08:37, Stan Hoeppner a écrit : >> You'd think humans beings would be smart enough to follow directions >> and use strong passwords, AV software, etc, and not fall for phishing >> scams. Your adversary in this war isn't the spammers, it's not the >> technology, but your users. > > oh come on! the "users" excuse is wa too old. if your software accepts > weak passwords, then the problem is with the software, not the user.
I'd have to disagree on this one. How do you measure strength or weakness of a password? Length? Is "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" strong? Complexity? Is "Passw0rd" strong? A combination of the above? Is "JosephAverage4/1/1999" strong? Frequent password changes? Is "simplepassword##" strong? (## being a sequential number) How do you effectively protect your infrastructure against users or (worse) customers writing their passwords on PostIts and leaving them around? How do you effectively protect your infrastructure against customers getting their own systems compromised? If you happen to have a solution for this problem, I'm honestly interested in learning about it, because I don't see any. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
