You can't secure what you don't acknowledge.SM

Monday, February 1, 2010

Relying on users to wipe out wimpy passwords??

I just came across this Dark Reading bit by Adrian Lane on wiping out wimpy passwords. Adrian says that user training is needed so people know how to create strong passwords. I'm not picking on you Adrian however this has become a downright ridiculous approach, one that's been proven time and again not to work.

My take is if you have to set your users up for success and, therefore, have to MAKE them create strong passphrases. It's as simple as enabling minimum password complexity policies in the OS and building in strong passphrase requirements within Web applications so that they don't have the option to take the path of least resistance.

Just like anti-lock brake systems in automobiles, circuit breakers in home electrical panels, and seat belt requirements on airplanes, we have to build in security controls that set our users up for success. Period. Unless and until we do, we're going to continue having the same old ridiculous password issues we've always had.

1 comment:

  1. Ever wonder how blondes remember their Passwords?
    Funny...

    During a recent password audit, it was found that a blonde was using the following password:

    MickeyMinniePlutoHueyLouieDeweyDonaldGoofy

    When asked why such a big password, she said, "It had to be at least 8 characters long.

    ReplyDelete