|Main Archive Page > Month Archives > postfix-users archives|
On 25 Jul 2012, at 08:20, Ansgar Wiechers wrote:
> On 2012-07-25 mouss wrote:
>> Le 24/07/2012 08:37, Stan Hoeppner a écrit :
>>> You'd think humans beings would be smart enough to follow directions
>>> and use strong passwords, AV software, etc, and not fall for phishing
>>> scams. Your adversary in this war isn't the spammers, it's not the
>>> technology, but your users.
>> oh come on! the "users" excuse is wa too old. if your software accepts
>> weak passwords, then the problem is with the software, not the user.
> I'd have to disagree on this one. How do you measure strength or
> weakness of a password?
> Length? Is "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" strong?
> Complexity? Is "Passw0rd" strong?
> A combination of the above? Is "JosephAverage4/1/1999" strong?
> Frequent password changes? Is "simplepassword##" strong? (## being a
> sequential number)
> How do you effectively protect your infrastructure against users or
> (worse) customers writing their passwords on PostIts and leaving them
> around? How do you effectively protect your infrastructure against
> customers getting their own systems compromised?
> If you happen to have a solution for this problem, I'm honestly
> interested in learning about it, because I don't see any.
Isn't the conventional wisdom that a long password consisting of 3 or 4
common but longer words is sufficient and memorable, along the lines
of the famous XKCD panel?
Obviously there's more to it than that, but I didn't think there was
much disagreement about the ideal form of a memorable and strong password.
It's a given that your attacker will have an idea what form of password
to test for, if not the actual password.