On Tue, 2009-11-24 at 14:23 -0700, AJ ONeal wrote: > What requirements should be imposed on a user?
*If you want something done right, make it the easiest thing to do.* If you impose fascist password requirements, people will write them on a post-it note on their screen. If you require frequent changes, people will create a system to reuse variants of the same password. *All security policy has to evaluated in context of reality, not theoretical perfection or blind copying of patterns.* My pet peeve is locking the account after three failed attempts. Why three? Why not five? Will two more attempts really help an attacker? It will help reduce support calls! Here's a though experiment: (1) You arrive at work groggy. It's early and you haven't had your coffee/coke/hot chocolate yet. You mistype your password. (2) Annoyed, you try again, still groggy. Another mistake. (3) You're fully awake and nervous. Last chance before you get locked out. Your hands are shaking, sweat is beading up on your forehead. Your finger slips and CURSES, LOCKED OUT AGAIN! Time to call support... What if there'd been a (4)? You probably would have been awake by (3) but without the stress. Even if you messed up, you'd still have (4) and (5). If you can't log in after five attempts, you should probably be at home in bed anyway. Result: Happier users, reduced support costs, still challenging for attackers, unicorns and rainbows all around. -- "XML is like violence: if it doesn't solve your problem, you aren't using enough of it." - Chris Maden -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
