At 15:35 2017-05-05, Ken Dibble krdibble@stny.rr.com wrote:
[snip]
Read the article. The data does not support the contention that these are important enough vectors to justify the downside that these recommendations have for users.
I did read the article. I do not agree with it.
Anybody who's got a dictionary, by now, also has a brute-force "guessing machine" and a botnet. Yup, they get through the dictionary in a few seconds. Within only a few more minutes, the botnet loops through every possible combination of characters in a 10-character password, and then they move on to 11 characters. The only thing that slows them down at all is a much longer password, and the only really effective defense involves measures on the server side. There is very little that a user can do to a password to make it significantly safer in the modern age, and there is huge amount of aggravation that can be caused to users over passwords that, in the end, has very little benefit.
Not putting a password on a Post-It Note is not a total solution, but it is the equivalent of not putting the house key under the mat. Would you put your house key under the mat? I suspect that answer would be a resounding no.
Just because there is no ultimate solution does not mean we should ignore things that can help.
This isn't just me, or just me and O'Reilly. Now it's me, O'Reilly, and the NIST.
Of course, I know, I'm a low-status person. No matter how right I am. or how often I am right, nobody listens to me until a high-status person repeats what I said.
I am just enjoying the gratification of being proven right.
No, of someone agreeing with you.
There have been proclamations before about solutions to the password problem. I think they are premature.
Look, I know that keeping track of passwords is a bother, but if access to something matters, changing your password occasionally is a good idea for the reason I stated. Pick a password that you can remember. I do not have a solution for the cognitive load of having [too] many passwords.
set silly on Hey, maybe we can have cameras watching for body motions as passwords. Since throwing up one's hands about the password problem is not workable, throwing up one's hands can be the new equivalent of having a password of "PASSWORD". set silly off
Sincerely,
Gene Wirchenko