|  11-11-2010, 01:43 PM | #46 | 
| Curmudgeon            Posts: 3,085 Karma: 722357 Join Date: Feb 2010 Device: PRS-505 | 
			
			A basic dictionary attack will be detected within a few tries; it's not like the old days. If they're stealing the password file and attacking that, the solution is better system security, not weaker user security, and if they've got enough of a massively parallel system (or perhaps a botnet) to try every option against the hashes, requiring unmemorable characters in users' passwords will not make it measurably slower. A disturbingly common point of attack is stolen (or just lost) laptops with passwords on them. The world's most secure password doesn't do jack for a trojaned, stolen, or otherwise suborned computer. Making the users write their passwords down, or store them in their laptops, as Duncan says, is making the problem worse instead of better. I did once have a nice consulting gig resetting an office manager's password every 90 days. He always ignored the "grace period" messages, then called in great distress when his old password didn't work anymore, giving me a nice drive and some free money for 5 minutes' work. Unfortunately, it wasn't long before they bought a system that didn't suck. I miss that one. | 
|   |   | 
|  11-11-2010, 02:14 PM | #47 | |
| Zealot        Posts: 143 Karma: 880 Join Date: Jun 2010 Device: Pandigital Novel | Quote: 
 Note I said "responding" as these measures are put in place after somebody finds out the hard way about the problem. | |
|   |   | 
|  11-11-2010, 02:27 PM | #48 | 
| Curmudgeon            Posts: 3,085 Karma: 722357 Join Date: Feb 2010 Device: PRS-505 | 
			
			The problem is that by responding to one problem (systems vulnerable to dictionary attacks) they're creating another problem (user passwords that can't be remembered) -- and the new problem may, in fact, be worse than the old problem.
		 | 
|   |   | 
|  11-11-2010, 06:36 PM | #49 | 
| King of the Bongo Drums            Posts: 1,632 Karma: 5927225 Join Date: Feb 2009 Device: Excelsior! (Strange...) | 
			
			"Always tell the truth. This will please some people & astonish the rest." - Mark Twain.
		 | 
|   |   | 
|  11-11-2010, 11:00 PM | #50 | |
| quantum mechanic            Posts: 705 Karma: 483827 Join Date: Aug 2010 Location: NorCal Device: Nook1, Samsung Transform, Nook2 | Quote: 
   | |
|   |   | 
|  11-12-2010, 03:02 AM | #51 | |
| Zealot        Posts: 143 Karma: 880 Join Date: Jun 2010 Device: Pandigital Novel | Quote: 
 Essentially the same method can be used to remember a password or stars ObAfGkMrNs | |
|   |   | 
|  11-12-2010, 09:49 AM | #52 | 
| Curmudgeon            Posts: 3,085 Karma: 722357 Join Date: Feb 2010 Device: PRS-505 | 
			
			I don't think either one is a viable solution (and I say this as someone who once had a very nice consulting gig regularly resetting an office manager's password). One gives you hard-to-find weak passwords, the other gives you easy-to-find strong passwords (the stickynotes). While getting users to choose at least moderately strong passwords is important, so is hardening the system as a whole. So, too, is setting appropriate user privileges and access. That's definitely more work for IT, but it has the advantage of working, and not just forcing users to write their passwords in places you don't want to think about. Remember, we're talking about Jersey Shore fans here: they're not gonna memorize passwords or stars.
		 | 
|   |   | 
|  11-12-2010, 10:00 AM | #53 | 
| Enthusiast            Posts: 38 Karma: 67710 Join Date: Jul 2010 Location: Ontario Device: PRS-600 & Kobo & PRS-650, iTouch and iPad2 | 
			
			the most annoying on-line store I found was Plimus in Britain. When I was in Thailand last month my daughter wanted the Ngaio Marsh books they advertised. I bought them for download on-line and paid immediately with PayPal but they just about wanted my life history including phone number and then I had to wait several days for a download link! For goodness sakes - it cost $9.99.
		 | 
|   |   | 
|  11-12-2010, 06:29 PM | #54 | |
| Addict        Posts: 254 Karma: 834 Join Date: Oct 2010 Location: Sacramento, CA Device: Samsung Galaxy s3 (Android 4.4.2), iPad 2, Win10 laptop | Quote: 
 I've been known to resort to the "list on my PDA that doesn't leave my physical possession while at work" strategy myself.   | |
|   |   | 
|  11-13-2010, 01:13 AM | #55 | |
| Zealot        Posts: 143 Karma: 880 Join Date: Jun 2010 Device: Pandigital Novel | Quote: 
 If they can't do that then perhaps people who can should be hired. | |
|   |   | 
|  11-13-2010, 08:34 AM | #56 | 
| Curmudgeon            Posts: 3,085 Karma: 722357 Join Date: Feb 2010 Device: PRS-505 | 
			
			In my experience, the worst offenders are those who do the hiring. When I went to a client's site every 90 days to fix a guy's password, it wasn't some peon's password that needed changed; it was the head of the regional office.
		 | 
|   |   | 
|  11-13-2010, 08:30 PM | #57 | |
| Zealot            Posts: 129 Karma: 11430 Join Date: Jun 2010 Location: NC, USA Device: my laptop | Quote: 
 Of course, unless I was on a tight deadline, I didn't mind that much--I got paid by the hour, even when locked out and unable to do my job. I would guess that password problems cost this company far more than what they saved from any potential security threat that their policies may have prevented. --Maria | |
|   |   | 
|  11-13-2010, 11:48 PM | #58 | |
| Zealot        Posts: 143 Karma: 880 Join Date: Jun 2010 Device: Pandigital Novel | Quote: 
 Maria, can you remember a simple sentence? McYra$$? | |
|   |   | 
|  11-14-2010, 01:50 AM | #59 | 
| Curmudgeon            Posts: 3,085 Karma: 722357 Join Date: Feb 2010 Device: PRS-505 | 
			
			But this week, is it "Maria, can you remember a simple sentence?" or "Maria, what is that sentence today?" ... and what will it be next week? Joe Schmoe in accounting is just gonna write the thing on a stickynote, and thereby hangs the problem.
		 | 
|   |   | 
|  11-14-2010, 01:35 PM | #60 | 
| Zealot        Posts: 143 Karma: 880 Join Date: Jun 2010 Device: Pandigital Novel | 
			
			If Joe can't remember a sentence he made up then perhaps he needs a job someplace else.
		 | 
|   |   | 
|  | 
| Thread Tools | Search this Thread | 
| 
 | 
|  Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post | 
| I didn't mean to offend the Religious Right. Honest. | Donna Callea | Writers' Corner | 38 | 11-14-2010 11:45 AM | 
| Catch an Honest Thief (cozy mystery - $2.99) | BearMountainBooks | Self-Promotions by Authors and Publishers | 0 | 08-29-2010 03:40 PM | 
| An honest review of my book... | J. Dean | Writers' Corner | 6 | 02-17-2010 01:43 PM | 
| A real pain | crutledge | Workshop | 2 | 08-13-2009 01:15 PM | 
| A real pain | crutledge | Workshop | 0 | 08-05-2009 11:33 AM |