Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Password Strength Requirements

Subject: Assurance

List archive

Re: [Assurance] Password Strength Requirements


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Assurance] Password Strength Requirements
  • Date: Wed, 8 Aug 2012 23:42:24 +0000
  • Accept-language: en-US

On 8/8/12 6:33 PM, "Joe St Sauver"
<>
wrote:
>#Yeah, but. I'd get caught.
>
>Why's that?

Because most people with a motive to attack a particular account are just
not all that smart.

>#Again, you're proposing theoretical technical/wonky attacks that mean
>#nothing to the non-techies here.
>
>Not theoretical attacks. Very, very basic script kiddy-class attacks,

Poor choice of words. By theoretical, I really meant "not seen much in
actual practice" regardless of how easy they seem to be.. And again, to
justify spending money to do something different, they have to be frequent
enough to cause a real problem.

Since it seemed to be conventional wisdom that such a lockout policy is
unwise, I wondered if in practice it's bitten anybody. It doesn't really
sound like it to me other than a few anecdotal cases.

>#They laugh at it.
>
>I always am happy when folks have a good sense of humor. :-) I just hope
>that
>they retain that sense of humor if/when they get bitten by unexpected
>side
>effects of policies that they've decided to adopt :-)

It's not unexpected. The attack is common sense and it was dismissed as
not worth changing the policy for. So far they're right based on the
evidence I have access to. I don't think even one or two incidents a year
would register as a blip in terms of motivating a policy change.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page