Passwords May Be Weakest Link

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"

Re:Yah! Stick it to the users!

[ocbwilg]

Give a look at any paper by Sasse, Brostoff and Adams, such as this one [mdx.ac.uk], and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force- all-my-users-to-32-char-monthly-passwords bullshit attitude.

I've currently got a 12 character password that I change on the same schedule as regular users do. Even though I only speak English and Spanish, I translated two unrelated words into two different languages (French and Welsh), then took the first half of one of the words, stuck it onto the second half of the other word, did a character substitution ("0" for "O", "1" for "L" or "I", and so on) and then tacked on a couple of random digits for good measure.

So apparently by your logic I can now tell you to fuck off and that the users are, in fact, the problem.