The most classical
examples are yellow sticky notes with passwords written on
them decorating the monitors in cubicles and open spaces.
Then there are passwords so easy to guess that they are completely
useless: password, 123, a,a password that matches the
username,even blank (just the Enter key) are very common
choices. It gets worse: Making less-obvious choices could still
be useless in the case of networked access. If I choose any
English word as a password, however uncommon or hard to
spell, I may think I found an easy way to remember it and make
it extremely hard to an attacker to guess it. That might be true
for an attacker who enters the password with a keyboard, but for
a program it is a breeze to go though a dictionary and try everything
until it hits the right guess. To close this intentionally incomplete
list, we cannot fail to mention the most outrageous
method of acquiring passwords; explicitly asking for it will have
a surprising rate of success.
Those problems have reasonable solutions. Policies that strongly
discourage writing down passwords (or handing them to
strangers!), imposing complex passwords patterns including
numbers and special characters (assigning such passwords to
users does not work; they will almost certainly write them down
instead of memorizing them, although nothing guarantees
they??™ll not do that anyway as a reaction to the complex pattern
On a small scale,
passwords can be
viable, but the
shared secret idea
has intrinsic ?¬‚aws
Password issues
can be mitigated by
strong governance
and a good infrastructure
Passwords: Ascent and Decline 33
constraint), and forcing the user to choose a new password from
time to time are all good practices.
Pages:
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80