Passwords May Be Weakest Link

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"

Nearly ZERO value, kids

[gelfling]

Look. Passwords make nice window dressing and make the auditors feel all gooey and warm but Let's face it. You're getting ripped off by insiders who obey your policies whatever they are and outsiders who already have your password files to examine are already in too far. You might as well sell your own children into slavery and let you neighbors have sex with them.

PROTECT THE DAMN DATA, THEN WORRY ABOUT THE ACCESS. COMPARTMENTALIZE AND DISSAGGREGATE EVERYTHING.