[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060312183202.M79019@ubzr.zsa.bet>
Date: Mon Mar 13 00:43:35 2006
From: measl at mfn.org (J.A. Terranson)
Subject: Yahoo security give blogger the thumbs up
On Sun, 12 Mar 2006, SO SECURITY RESEARCH INSTITUTE wrote:
> ADP
> were unavailable for comment at time of this message being submitted to
> Full-Disclosure mailing list. http://tinyurl.com/plqt3
This URL describes ADPs not unreasonable password policy (8-14 characters,
must contain special chars, no incrementing or decrementing chars, and no
repeats). Sure, it's annoying, but it's also good practice. At least
they haven't gone over the edge, like, oh, a large tier-1 NSP with a 6
letter name that has all the above requirements, AND:
Password shall change EVERY 90 DAYS!;
password shall not ever repeat;
password shall not be derived from any dictionary word
(!!! - this alone makes the system unusable - !!!)
no passwords like "#V3rify||M3||n0w#" because
there are three English derived words. Ever try and
actually USE such a gawd awful system?.
The KICKER though was this: the above reuqirements are for several
discrete systems (domain login, RADIUS login, VPN login, etc), and NONE of
these systems shared credentials - so you had to change them ALL every
three months, AND keep them straight!
As an industry, we need to come to terms with the concept that a bad
password kept secret is better than a great password written down on every
available surface because it changes every 3 months and has irrational
requirements.
ADP seems to have found a good middle ground policy. Revealing that
policy hurts nobody in any way - ADP/Yahoo security is not compromised by
this disclosure - so what's the point?
--
Yours,
J.A. Terranson
sysadmin@....org
0xBD4A95BF
'The right of self defence is the first law of nature: in most governments
it has been the study of rulers to confine this right within the narrowest
limits possible. Wherever standing armies are kept up, and the right of
the people to keep and bear arms is, under any colour or pretext
whatsoever, prohibited, liberty, if not already annihilated, is on the
brink of destruction.'
St. George Tucker
Powered by blists - more mailing lists