[Info-vax] Enhanced Password Management

Dave Froble davef at tsoft-inc.com
Fri Mar 22 17:35:11 EDT 2019 

On 3/22/2019 4:46 PM, Stephen Hoffman wrote:
> On 2019-03-22 16:55:40 +0000, Dave Froble said:
>
>> "BAD" is many times "in the eyes of the beholder" ....
>>
>> That said, including the capability to do "good" (same perspective as
>> bad) should be available ....
>>
>> Perhaps I'm not understanding this topic.  Is it incompatible to allow
>> both what certain customers want, and current best practices,
>> according to NIST?
>
> It's that the documentation doesn't state that NIST suggests that these
> password filters are a Bad Idea, and for the following reason.
>
> It's the difference between selling folks anything and not mentioning
> the risks or the issues, and of having an opinion and suggestions and
> recommendations that can assist the customers.
>
> The difference between a software provider—and and organization that
> might not mention the risks and problems—and of a software partner—an
> organization that can and will mention risks and benefits.
>
> That "these" are design and coding and implementation techniques for
> improving app and system security, while "those" are techniques that can
> compromise system and app security.
>
> Development practices evolve, and so too does security advice, and there
> are a whole lot of app developers around that are focusing on their own
> apps and requirements, and aren't necessarily cognizant of changing
> recommendations and risks, nor of the benefits of adopting updated and
> new features as those arise.
>
> This also ties into the willingness of ISVs and end-users to go through
> development and deployment hassles when those become necessary, such as
> having to make app source code changes to resolve latent issues or to
> implement new features.
>
> It's that the documentation here doesn't make clear what might be the
> VSI opinion around password filters, and an obvious inference given NIST
> recommendations and published papers on this topic is that VSI isn't
> concerned about weakening their customer security.  Not enough to
> comment. That might be a harsh reading here, certainly.   And again,
> customers can and are free to use DECnet, telnet, cleartext storage, or
> password filters.  That's all up to the customer.  But I'd wager that a
> number of folks reading *this* discussion didn't know the implications
> of password filters, either.

Nor do I, I think.

But you are correct, if there is some authority  with best practice 
suggestions, it sure doesn't hurt to pass that information along.  It's 
in the vendor's best interest, to avoid any "blame".


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list