To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.off-topic.geekOpen lugnet.off-topic.geek in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Off-Topic / Geek / 2869
2868  |  2870
Subject: 
 Re: Security?
Newsgroups: 
 lugnet.off-topic.geek
Date: 
 Tue, 13 Mar 2001 19:45:52 GMT
Viewed: 
 120 times
  
In article <GA53J7.n1M@lugnet.com>, Dave Schuler <orrex@excite.com> wrote:
Last week at my job I had the misfortune of attending a mandatory seminar on
Information Security, which amounted to little more than "don't leave
sensitive documents on the bus."  Through the course of it, though, the
lecturer discussed the various commonly-available software systems for
hammering through password protection, and he gave some time projections for
how long it would take to "guess" a certain type of password.
That's all well and good, but it occurred to me that my system locks me
out if I botch my password three times, so why are these intruder programs
able to make millions of attempts with no problem?  More to the point, why
does my system bother to limit me to three tries, which in practice will
only result in inconvenience to me, since the interloper can apparently make
as many attempts as it wants?

I suspect that lockouts after password retries aren't to secure the system,
they're to secure the user. Draconian measures tend to reinforce the idea
that passwords are _important_, and you should _remember_ them. [0]

Oh, and we (system administrators) like watching people squirm when they
have to come to our offices and admit they can't type their own password
given three chances. [1]

On your other subject, nobody cracks passwords by trying to log in to the
machine; they get the "password file" (which _is_ encrypted on any modern
system) and crack against that. The implication here is that not only
do security people not trust people breaking in, they don't trust people
with legitimate accounts on the system. I consider this a good thing;
the last thing I need is someone spamming the world from my account
instead of their own.

[0] Unfortunately, this last bit tends to get parsed as "write them down"

[1] Not really, but that's what the rest of the world thinks, so who are
we to argue?

-JDF
--
J.D. Forinash                                     ,-.
foxtrot@cc.gatech.edu                            ( <
The more you learn, the better your luck gets.    `-'



Message has 1 Reply:
  Re: Security?
 
(...) This statement is coming from an individual who forgets passwords that must be changed every 30 days.[1] Aren't most passwords acquired through human engineering anyway? Chris 1. Now, I ask someone else to do the stuff on the system that (...) (24 years ago, 13-Mar-01, to lugnet.off-topic.geek)

Message is in Reply To:
  Security?
 
Last week at my job I had the misfortune of attending a mandatory seminar on Information Security, which amounted to little more than "don't leave sensitive documents on the bus." Through the course of it, though, the lecturer discussed the various (...) (24 years ago, 13-Mar-01, to lugnet.off-topic.geek)

8 Messages in This Thread:


Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR