Re: Valid password characters

From: TB (tbpostbox-googlegroups_at_yahoo.com)
Date: 02/18/05

Next message: TB: "error when changing from Access to MySQL"
Previous message: Roland Hall: "Re: Valid password characters"
In reply to: Roland Hall: "Re: Valid password characters"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 18 Feb 2005 01:31:40 +0100

A good password policy should be combined with a good user name ditto. If
the user name is also a bit hard to guess, then you multiply the
diffulculties for the intruder.

Also, another good policy is to set an expiry date for passwords.

As for your observations about setting priorities, it is impossible not to
agree with you in principle. However, the plain reality is that very often a
business invests in a website just as they budget for art on the walls and
green potted plants. As most independent developers know, that allocation is
often not in proportion with the amount of work required for the development
of the site. And unless your customer is a bank (unlikely because they tend
to have their own salaried IT staff), then s/he will favor essentials such
as Flash and streaming video instead of boring subjects like the one we are
discussing now.

After all the greatest friend of the hacker is the company boss, who still
uses his daughter's name as the password to access the accounting system....

"Roland Hall" <nobody@nowhere> wrote in message
news:uG8dXDUFFHA.628@TK2MSFTNGP15.phx.gbl...
> "TB" wrote in message news:unp5S5TFFHA.1924@TK2MSFTNGP14.phx.gbl...
> : Of course, the more security the better, it is really a question of
> : resources versus sensitivity of the content.
>
> I disagree that sensitivity of the content should be a factor. That's
> like
> saying, "Well, they broke in and stole my TV that didn't work so it's not
> that big a deal." If you had a cheap house with contents of not much
> value,
> if someone burned down your house, would it make any difference of the
> content within? You still have to rebuild and you're down until then.
>
> I've heard that argument a lot. "Why would anyone want to break into our
> system? We don't have anything worth taking." Two problems with that
> argument:
>
> 1. They may not know what you have so there is no reason for them not to
> try.
> 2. They may not want your data but they also may not want you to have it
> either. They could just be destructive.
>
> : So yes, one could add a feature
> : whereby an account would be disabled after a certain of unsuccessful
> tries.
> : That on the other would expose the site to vandalism because a massive
> : attack could lock out a lot of users.
>
> I wouldn't necessarily lock the account but a delay would be helpful or
> possibly an email being generated, once, if the account is locked out to
> unlock it, as in the case of forgetting one's password.
>
> There has to be a medium between security and ease of use. If it's too
> difficult to use for legitimate users or too much of an inconvenience,
> then
> the security precautions in place could effectively create a DoS. (O:=
>
> : Another posibility is to require
> : reproduction of character sequence included a random graphic element (I
> : forget the technical term for it). In that way, you can prevent
> automated
> : attacks.
>
> Yes, a random graphic element that cannot be screen-scraped appears to be
> popular now. The downside is sometimes you cannot even tell what the
> characters are as with one I just used today with MSFT. I got it wrong
> twice. The attack on this type of protection will not be a frontal attack
> at the graphics. And, none of this will protect you from a DoS or DDoS,
> smurf, fraggle, etc. but do tend to discourage automated attempts of brute
> force.
>
> --
> Roland Hall
> /* This information is distributed in the hope that it will be useful, but
> without any warranty; without even the implied warranty of merchantability
> or fitness for a particular purpose. */
> Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
> WSH 5.6 Documentation -
> http://msdn.microsoft.com/downloads/list/webdev.asp
> MSDN Library - http://msdn.microsoft.com/library/default.asp
>
>

Next message: TB: "error when changing from Access to MySQL"
Previous message: Roland Hall: "Re: Valid password characters"
In reply to: Roland Hall: "Re: Valid password characters"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

RE: Trace of 139 attack?
... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ...
(Focus-Microsoft)
Re: Dloyd the staker back for more
... yes you demanded I stop posting your Nick on my blog USE your blog... ... As far as your wifes account is concerned I never ... imporper efoorts I preceieve on your part to disrupt RRAP such as you ... you are impling I need your premission to attack your posts I do not ...
(rec.radio.amateur.policy)
Re: Password expires for no apparent reason
... go to the server and run rsop.msc and check your password policy, ... expires' is set for each user. ... the minimum password age is there to prevent users from blowing ... As Harj said Account lockouts could potentially be a problem as perhaps the ...
(microsoft.public.windows.server.active_directory)
RE: Trace of 139 attack?
... Subject: Trace of 139 attack? ... I think passprop allows you to lock the admin account via the network not on ... on your IIS server & as got the command prompt. ... > deleting the logs he cannot do it. ...
(Focus-Microsoft)
Re: Password Policy for remote users
... There is only one password policy per domain or per machine. ... accounts, and this or the highest priority GPO setting account policies ... Change remote users passowrd to more complex. ...
(microsoft.public.security)