[Info-vax] Enhanced Password Management

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Fri Mar 22 16:46:20 EDT 2019 

On 2019-03-22 16:55:40 +0000, Dave Froble said:

> "BAD" is many times "in the eyes of the beholder" ....
> 
> That said, including the capability to do "good" (same perspective as 
> bad) should be available ....
> 
> Perhaps I'm not understanding this topic.  Is it incompatible to allow 
> both what certain customers want, and current best practices, according 
> to NIST?

It's that the documentation doesn't state that NIST suggests that these 
password filters are a Bad Idea, and for the following reason.

It's the difference between selling folks anything and not mentioning 
the risks or the issues, and of having an opinion and suggestions and 
recommendations that can assist the customers.

The difference between a software provider—and and organization that 
might not mention the risks and problems—and of a software partner—an 
organization that can and will mention risks and benefits.

That "these" are design and coding and implementation techniques for 
improving app and system security, while "those" are techniques that 
can compromise system and app security.

Development practices evolve, and so too does security advice, and 
there are a whole lot of app developers around that are focusing on 
their own apps and requirements, and aren't necessarily cognizant of 
changing recommendations and risks, nor of the benefits of adopting 
updated and new features as those arise.

This also ties into the willingness of ISVs and end-users to go through 
development and deployment hassles when those become necessary, such as 
having to make app source code changes to resolve latent issues or to 
implement new features.

It's that the documentation here doesn't make clear what might be the 
VSI opinion around password filters, and an obvious inference given 
NIST recommendations and published papers on this topic is that VSI 
isn't concerned about weakening their customer security.  Not enough to 
comment. That might be a harsh reading here, certainly.   And again, 
customers can and are free to use DECnet, telnet, cleartext storage, or 
password filters.  That's all up to the customer.  But I'd wager that a 
number of folks reading *this* discussion didn't know the implications 
of password filters, either.






-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list