At 15:35 2017-05-05, Ken Dibble <krdibble(a)stny.rr.com> wrote:
[snip]
>Read the article. The data does not support the contention that
>these are important enough vectors to justify the downside that
>these recommendations have for users.
I did read the article. I do not agree with it.
>Anybody who's got a dictionary, by now, also has a brute-force
>"guessing machine" and a botnet. Yup, they get through the
>dictionary in a few seconds. Within only a few more minutes, the
>botnet loops through every possible combination of characters in a
>10-character password, and then they move on to 11 characters. The
>only thing that slows them down at all is a much longer password,
>and the only really effective defense involves measures on the
>server side. There is very little that a user can do to a password
>to make it significantly safer in the modern age, and there is huge
>amount of aggravation that can be caused to users over passwords
>that, in the end, has very little benefit.
Not putting a password on a Post-It Note is not a total
solution, but it is the equivalent of not putting the house key under
the mat. Would you put your house key under the mat? I suspect that
answer would be a resounding no.
Just because there is no ultimate solution does not mean we
should ignore things that can help.
>This isn't just me, or just me and O'Reilly. Now it's me, O'Reilly,
>and the NIST.
>
>Of course, I know, I'm a low-status person. No matter how right I
>am. or how often I am right, nobody listens to me until a
>high-status person repeats what I said.
>
>I am just enjoying the gratification of being proven right.
No, of someone agreeing with you.
There have been proclamations before about solutions to the
password problem. I think they are premature.
Look, I know that keeping track of passwords is a bother, but
if access to something matters, changing your password occasionally
is a good idea for the reason I stated. Pick a password that you can
remember. I do not have a solution for the cognitive load of having
[too] many passwords.
set silly on
Hey, maybe we can have cameras watching for body motions as
passwords. Since throwing up one's hands about the password problem
is not workable, throwing up one's hands can be the new equivalent of
having a password of "PASSWORD".
set silly off
Sincerely,
Gene Wirchenko