Unlearned lessons

[unixronin]

Today's User Friendly strip makes a security point I've commented on myself many a time:  If you make your password policy demanding enough, you can force all of your users to write their passwords down, and the odds are at least some of them will leave their password notes where they can be seen and/or found by someone who shouldn't have them.  At which point your carefully crafted password policy, proof against any but the most massive distributed brute-force attack, becomes vulnerable to the pizza boy who happens to glance at the receptionist's desk while chatting her up on his way through the front lobby.

Comments

[mrmeval.livejournal.com]

All security systems are vulnerable to social engineering as it's called. It can be quick or it can take time but eventually it can be done.

What I've seen of SecurID impresses me. It's not cheap but it's better then biometrics.

"Biometrics can be fun to exploit but keeping the parts alive is tough." --darkmeval. ;)

Consider that added to the quotables. ;)

[unixronin.livejournal.com]

Hardware tokens are a good system, I think. As schneier is wont to comment, the most secure authentication systems are those that require a combination of something you have, something you are, and something you know.

[robbat2.livejournal.com]

my sole complaint against the SecurID was their their server portion ran only on Solaris or Windows (I had a 5 unit eval kit with the server and keys for a while). But again, follow Schneier's comments that they should not be used in isolation.