On 2012-01-03 8:37 PM, David Ford david@blue-labs.org wrote:
part of my point along that of brute force resistance, is that when security becomes onerous to the typical user such as requiring non-repeat passwords of "10 characters including punctuation and mixed case", even stalwart policy followers start tending toward avoiding it.
Our policy is that we also don't force password changes unless/until there is a reason (an account is hacked/abused.
I've been managing this mail system for 11+ years now, and this has *never* happened (knock wood). I'm not saying we're immune, or it can never happen, I'm simply saying it has never happened, so out policy is working as far as I'm concerned.
if anyone has a stressful job, spends a lot of time working, missing sleep, is thereby prone to memory lapse, it's almost a sure guarantee they *will* write it down/store it somewhere -- usually not in a password safe.
Again - there is no *need* form them to write it down. Once their workstation/home computer/phone is set up, it remembers the password for them.
or, they'll export their saved passwords to make a backup plain text copy, and leave it on their Desktop folder but coyly named and prefixed with a few random emails to grandma, so mr. sysadmin doesn't notice it.
And if I don't notice it, no one else will either, most likely.
There is *no* perfect way, but ours works and has been working for 11+ years.
on a tangent, you should worry about active brute force attacks. fail2ban and iptables heuristics become meaningless when the brute forcing is done by bot nets which is more and more common than single-host attacks these days. one IP per attempt in a 10-20 minute window will probably never trigger any of these methods.
Nor will it ever be successful in brute forcing a strong password either, because a botnet has to try the same user+different passwords, and is easy to monitor for an excessive number of failures (of the same user login attempts) and notify the sys admin (me) well in advance of the hack attempt being successful.
--
Best regards,
Charles