[Info-vax] Enhanced Password Management
dgordonatvsi at gmail.com
dgordonatvsi at gmail.com
Thu Mar 21 13:39:48 EDT 2019
On Thursday, March 21, 2019 at 1:25:53 PM UTC-4, lorin... at gmail.com wrote:
> That they're continuing "The minimum number of..." line of thinking seems to indicate either entrenched thinking or too much to do -- especially in light of contemporary, objective evidence that password complexity and expiration rules not only don't work, but aggressively weaken security, giving the bad actors yet another predictable and well-know attack vector. Engineering's continued focus on pwd-complexity is not just "interesting," it's misdirected, false security theater, a waste of time, and just plain wrong.
Regardless of my agreement with you, we have customers who have contracts with agencies who don't.
> Troy Hunt's cloud resource https://haveibeenpwned.com came to light in the months since that Boot Camp presentation. I've written, for my own amusement, a proof-of-concept script (Ruby) that checks new password candidates against that online corpus, rejecting even otherwise "strong" passwords if their hash is found to have been already compromised.
>
> VMS Engineering would do well to refocus their efforts to have SET PASSWORD do the same online checking (don't download the corpus into a local check-it dictionary, as the reference instance gets updated with new breach data on an as-needed basis) rather than messing around with obsolete complexity rules and other such presumptive "fixing."
>
VSI has a class of customers for which this feature would be absolutely unacceptable. These are the same sorts of customers who insist on physical installation media.
More information about the Info-vax
mailing list