On 2012-01-03 8:58 PM, Michael Orlitzky michael@orlitzky.com wrote:
On 01/03/2012 08:25 PM, Charles Marcus wrote:
What I'm worried about is the worst case scenario of someone getting ahold of the entire user database of *stored* passwords, where they can then take their time and brute force them at their leisure, on *their* *own* systems, without having to hammer my server over smtp/imap and without the automated limit of *my* fail2ban getting in their way.
To prevent rainbow table attacks, salt your passwords. You can make them a little bit more difficult in plenty of ways, but salt is the /solution/.
Go read that link (you obviously didn't yet, because he claims that salting passwords is next to *useless*...
As for people writing their passwords down... our policy is that it is a potentially *firable* *offense* (never even encountered one case of anyone posting their password, and I'm on these systems off and on all the time) if they do post these anywhere that is not under lock and key. Also, I always set up their email clients for them (on their workstations and on their phones - and of course tell it to remember the password, so they basically never have to enter it.
You realize they're just walking around with a $400 post-it note with the password written on it, right?
Nope, you are wrong - as I have patiently explained before. They do not *need* to write their password down.
--
Best regards,
Charles