Date: Sat, 13 Jan 2001 23:33:14 -0800 (PST) From: opentrax@email.com To: ftobin@uiuc.edu Cc: genisis@istar.ca, security@FreeBSD.ORG Subject: Re: opinions on password policies Message-ID: <200101140733.XAA00644@spammie.svbug.com> In-Reply-To: <Pine.BSF.4.31.0101131726030.40290-100000@palanthas.neverending.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13 Jan, Frank Tobin wrote: > While this may not be applicable to your situation, I feel that the best > policy is to demand public-key authentication. The reason for this is to > limit the human factor, not demanding the user remember yet another unique > password. If forced to remember another password, most users (including > myself) will often re-use a password they use at another place. > This is not a good policy. For small infrasturcures (5-100 users), PKA might be acceptable. However, this is useful only if ALL users login remotely. Even then, PKA, such as used in SSH, has management problems. Getting back to password policies, do what you can. Studies such as: http://www.cs.wpi.edu/~cs513/f99cew/week12-crypt/week12-crypt.html Show that most public systems can be cracked easily with a simple dictionay attack. The best security policy is to expect systems with many users that you don't personally know (like universities) will be hacked. Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101140733.XAA00644>