rjoc04679

[Dan.Strassberg]

There is the famous old story (almost certainly apocryphal) about the
IT manager who had figured out a set of rules for bullet-proof
passwords and then distibuted the rules in an e-mail to all employees.
He also set up the system to reject any password that didn't comply
with his rules. Most of the employees couldn't make sense of the
complex rules and therefore couldn't follow them and the IT guy got
tired of having to painstakingly explain the rules to each employee.
But he didn't have to--for long. One of the few employees who had
deciphered the memo sent another e-mail to all employees containing a
password that complied with all of the rules. And of course, everybody
selected that password.

-----
Dan Strassberg (dan.strassberg@att.net)
eFax 1-707-215-6367

----- Original Message ----- 
From: "Sid Schweiger" <sid@wrko.com>
To: <boston-radio-interest@lists.BostonRadio.org>
Sent: Thursday, March 31, 2011 9:36 AM
Subject: RE: rjoc04679


> "It would, however, be stronger if it contained no words that were
> vulnerable to a dictionary attack.  "NSzYAYh-40%PYICi&2" is much
> stronger, as it contains no dictionary words and incorporates three
> non-alpha-numeric characters (-, % and &) instead of one (-)
> repeated three times."
>
> A nice idea, but in practice maybe not so much.  The problem is that
> passwords have to be used by people, not machines, and a password
> that bears no resemblance whatsoever to anything in human experience
> is going to be either forgotten regularly or written down and posted
> on the user's monitor, which is the same as having no password at
> all.  From an admin's POV, setting too strict a password policy
> leads to workarounds which inevitably end up compromising the very
> security passwords were intended to protect.
>
> Sid Schweiger
> IT Manager, Entercom New England
> 20 Guest St / 3d Floor
> Brighton MA  02135-2040
>