There was an interesting paper I came across recently at the SANS readinng room. Although the techniques it talks about are not revolutionary, it does present them in an easy to read manner, which may be used as a basis to train end-users.
I dont like the suggested way to deal with required password changes (add a number to the end) because it goes against best practice. I did however question why adding numbers to the end of passwords during a force change is not recommended and all I came up with is:-
- if you know users have strong passwords, the reason why you still force them to change passwords reguarly is to mitigate the risk that someone else other then the user has gained access to that password. So by simply adding numbers to the end of passwords voids the mitigation of the required password change.
Slashdot Mirror
http://www.sans.org/rr/whitepapers/authentication/ 1636.php
I dont like the suggested way to deal with required password changes (add a number to the end) because it goes against best practice. I did however question why adding numbers to the end of passwords during a force change is not recommended and all I came up with is:-
- if you know users have strong passwords, the reason why you still force them to change passwords reguarly is to mitigate the risk that someone else other then the user has gained access to that password. So by simply adding numbers to the end of passwords voids the mitigation of the required password change.