Alarming News: I like Morgan Freeberg. A lot.
American Digest: And I like this from "The Blog That Nobody Reads", because it is -- mostly -- about me. What can I say? I'm on an ego trip today. It won't last.
Anti-Idiotarian Rottweiler: We were following a trackback and thinking "hmmm... this is a bloody excellent post!", and then we realized that it was just part III of, well, three...Damn. I wish I'd written those.
Anti-Idiotarian Rottweiler: ...I just remembered that I found a new blog a short while ago, House of Eratosthenes, that I really like. I like his common sense approach and his curiosity when it comes to why people believe what they believe rather than just what they believe.
Brutally Honest: Morgan Freeberg is brilliant.
Dr. Melissa Clouthier: Morgan Freeberg at House of Eratosthenes (pftthats a mouthful) honors big boned women in skimpy clothing. The picture there is priceless--keep scrolling down.
Exile in Portales: Via Gerard: Morgan Freeberg, a guy with a lot to say. And he speaks The Truth...and it's fascinating stuff. Worth a read, or three. Or six.
Just Muttering: Two nice pieces at House of Eratosthenes, one about a perhaps unintended effect of the Enron mess, and one on the Gore-y environ-movie.
Mein Blogovault: Make "the Blog that No One Reads" one of your daily reads.
The Virginian: I know this post will offend some people, but the author makes some good points.
Poetic Justice: Cletus! Ah gots a laiv one fer yew...
Windows Password Myths
The author of this password-myth article makes some good points. Particularly this one toward the end, which, I think, should have been moved to the top.
Some may disagree with individual points I have presented here, but that is the whole purpose. A myth is a half-truth. Many of the myths that I have attacked here were once good advice or they still are good advice but only in specific scenarios. But to many this advice has become a set of solid rules that are generally applied to all scenarios. Password advice, including my own, is nothing more than advice. You must determine which rules work for you and which do not. Perhaps the biggest myth of all is that there are fixed rules when it comes to password security.
In my professional experience with security issues, I’ve found that to be a big breakdown in the process. Information assurance professionals, be they highly-trained or very lightly trained, will get it in their heads that their way is the way. A little bit o’knowledge is a dangerous thing, they say. That is probably not quite as true anywhere else, as it is in Information Security. Everybody wants everything to work the way it worked in their last job, and all those other IS guys who want it to work a different way, are just plain wrong.
On the other hand, I find this highly disagreeable.
Myth #7. You Should Never Write Down Your Password
Although this is often good advice, sometimes it is necessary to write down passwords. Users feel more comfortable creating complex passwords if they are able to write them down somewhere in case they forget.
:
Sometimes passwords need to be documented. It�s not uncommon to see a company in a panic because their admin just quit, and he’s the only one who knows the server password. You should discourage writing down passwords in many situations, but if writing them down helps or is necessary, be smart about it.
There are personal passwords, and there are role-based passwords. I set a database administrator password, I get sick, you need to do something administrative to the database and so you call me to get the password. If the database lacks the ability to have two separate user accounts with the same privileges, and sees the administrator as a role rather than as a specific person, then this is acceptable. But in a system with the sophistication to recognize rights & roles as two different things, and roles & users as two different things, the justification for sharing dissipates, and with that any reason for writing things down likewise vanishes.
Simply put, passwords, whenever possible, should be purely personal. And security is all about treating personal things as personal. Who gets rights to what, is based on who’s who, so the system needs to know people are who they say they are. It’s the atomic building block: the individual identity.
So my take on it is, if you’re writing down a password because you have trouble remembering it, the system is already broken. Under this system, you aren’t “Bob,” you’re a guy who knows Bob keeps the password locked in his desk drawer, and who has Bob’s key. This is not acceptable. People get sick. People go on vacations. And even in a workplace with a great security culture, people do not think about security all the time. The security goon and/or the auditors leave the room, and people go back to getting the work done on time, lending and borrowing passwords as needed.
Their reviews are conducted based on how they got work done, not on how they kept their passwords secret.
So muscle-memory is the key. The fingers know what the password is. Even the hunt-and-peckers who don’t know how to type, can “memorize” eight-character passwords this way in just a few minutes.
But, like the guy said in the bottom-paragraph that should have been the top-paragraph, it’s a matter of perspective. Or at least, it is until you have an actual security incident. It’s been my experience that things change a little after that.
Leave a Reply
You must be logged in to post a comment.