ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Password Complexity, Good or bad?

    Scheduled Pinned Locked Moved IT Discussion
    202 Posts 12 Posters 52.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @JaredBusch
      last edited by

      @JaredBusch said:

      @scottalanmiller said:

      With Option A I would question the motivations of the company that put this in place. This is such a basic and fundamental anti-security practice that it is tantamount to social engineering and having engineered an intentionally insecure environment.

      This is a load of crap. Things are specifically designed and setup that way because that is what people have been taught. No company with something like that implemented have done anything wrong as you are implying.

      Even people being taught wrong have a responsibility to implement common sense and make sure that what they are being taught and, far more important, repeating and implementing is real. Real security people have been teaching that this is terribly insecure for a very long time.

      Just because they were told it doesn't mean that they have no responsibility for being capable of doing the job they are paid to do.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @JaredBusch
        last edited by

        @JaredBusch said:

        Every single bad implementation that is out there is not some company trying to maliciously sabotage themselves as you always imply Scott.

        But most are, which you soundly reject. You forget that malice includes being willing to not do a good job for personal gain. It doesn't mean that they hate the company and want to hurt them, just that protecting them as they are paid to do isn't taken seriously and risk is incurred from doing so.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

          • Basic IT or computer or mathematical knowledge would mean that teaching something wrong like this would not matter. It's obviously wrong.
          • Learning security by rote is fundamentally wrong. If someone is trying to be an advisor and doesn't understand what they are doing, that's not good security. Even if they were taught wrong, it is their responsibility to understand the factors which would make this very obviously not secure.
          • Not putting in the necessary care for which you are entrusted is called professional negligence and is a form of malice. It's just for personal gain - to get a paycheck for a job you are not qualified to do. But it is a real thing. When paid as a professional advisor you take on a responsibility - and if you can't do that job, admitting it is part of that. This isn't getting a time frame wrong or not being able to complete a product but putting a business at risk not through something missed but through an intentional action that is harmful (through risk.)
          • Not taking care to choose good education and mentorships falls to the actioner as well. This is hard, but just trusting others who are not capable doesn't remove all culpability.
          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            The big issue here is that this is security related, not ease of use or something like that. We assume that someone was paid to secure the company and instead of securing it, they actively made it less secure than it would have been by default. It's actually worse than if they had done nothing.

            1 Reply Last reply Reply Quote 1
            • JaredBuschJ
              JaredBusch @scottalanmiller
              last edited by

              @scottalanmiller said:

              The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

              It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

              Let alone getting into anyone outside of IT.

              scottalanmillerS travisdh1T 2 Replies Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @JaredBusch
                last edited by

                @JaredBusch said:

                It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                Let alone getting into anyone outside of IT.

                Perhaps that is true. But it is setting an insanely low bar for IT. What's the first thing you learn about security? Well, that's never run as the admin. And the second is to never share accounts. But this still very basic stuff. Maybe you can excuse a first time help desker with never thinking about or learning how computers work (maybe, I'd have to consider that) but for a security decision maker?

                DashrenderD 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  And yes, I realise that sadly the bar for what people consider IT is insanely low. And that's why I only said that we should consider motivations, not take legal action. If this was from a firm advertising its security expertise, I would definitely recommend legal action, at the very least to get all audit costs, mitigation costs and payments returned.

                  If it turns out that they were just hiring some high school kid to run their IT and provided no training and required no training and were not paying for any expertise, then it is, to some degree, excusable. Not a "ah this happens to everyone" level of excuse, but enough that they should just be required to take some basic computer and security training.

                  As we don't know who implemented this, we don't know the scope of the issue. But there is every chance that this was an MSP claiming that they knew what they were doing rather than someone's nephew trying to "help out" without proper basic security training.

                  1 Reply Last reply Reply Quote 1
                  • travisdh1T
                    travisdh1 @JaredBusch
                    last edited by

                    @JaredBusch said:

                    @scottalanmiller said:

                    The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

                    It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                    Let alone getting into anyone outside of IT.

                    Very sad that it's true.

                    Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.

                    crustachioC DashrenderD 2 Replies Last reply Reply Quote 1
                    • crustachioC
                      crustachio @travisdh1
                      last edited by

                      @travisdh1 said:

                      @JaredBusch said:

                      @scottalanmiller said:

                      The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

                      It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                      Let alone getting into anyone outside of IT.

                      Very sad that it's true.

                      Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.

                      But I got this thing free in a cereal box!

                      1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said:

                        @JaredBusch said:

                        It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                        Let alone getting into anyone outside of IT.

                        Perhaps that is true. But it is setting an insanely low bar for IT. What's the first thing you learn about security? Well, that's never run as the admin. And the second is to never share accounts. But this still very basic stuff. Maybe you can excuse a first time help desker with never thinking about or learning how computers work (maybe, I'd have to consider that) but for a security decision maker?

                        Well, are we talking about paid security decision maker or are we talking about typical IT? Granted there should be some basic knowledge - but you speak of first thing you learn? Don't run as admin - LOL I certainly didn't learn that first, or second or even top 100. This wasn't a concept to me until well after Windows 2000 came out.

                        I suppose if you grew up on the Linux or any Nix side of the house that might have been different - but hell, it's pretty easy to run as root if you just want to in a lot of cases.

                        I started in DOS, upgrade to Win3.x - Win9x, jumped over to Win NT 3.5, 3.51 and 4.0 (learned about admin and general security) but still - running as non admin wasn't done by me or anyone around me. When the company I worked for at the time deployed Windows 2000, that was the first real time it was a thing - not running as an admin.

                        So to that end - the idea that a smaller complex password is not as secure as a longer though visually more simple password is easy to see why many (including IT people) wouldn't innately pick this up. Toss in the fact that how you show that a longer though visually more simple password offers better protection involves math - Most people hate dealing with math, again IT people are no exception. Tons of IT people can't figure out Subnets, don't understand the use of Binary to find same networks, etc... so when you're talking about complexity and you bring math to explain why longer is better - their eyes just glaze over.

                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                        • DashrenderD
                          Dashrender @travisdh1
                          last edited by

                          @travisdh1 said:

                          @JaredBusch said:

                          @scottalanmiller said:

                          The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

                          It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                          Let alone getting into anyone outside of IT.

                          Very sad that it's true.

                          Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.

                          This is proven every day with all the exploits that are discovered.

                          Hell Apple's iMessage has a flaw in it - one that can't be fixed without whole sale replacing the current system, so yet another gaping whole that will just be left to rot.

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            Well, are we talking about paid security decision maker or are we talking about typical IT?

                            Well, while we can't guarantee it, this is a company and we should assume that someone was getting paid to make security decisions. So to some degree these two are one and the same.

                            1 Reply Last reply Reply Quote 1
                            • BRRABillB
                              BRRABill @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              Remember that password complexity is a myth. It's complex to a human but the computer cannot tell. p@55w0rd and password are exactly the same to a computer - they are both easily guessable eight character passwords.

                              Is that true? Doesn't adding character sets make it harder to guess? Human interaction aside? I am just saying aaaaaaaa versus something random with punctuation would take longer to crack. Are you saying that is not the case?

                              travisdh1T 1 Reply Last reply Reply Quote 0
                              • travisdh1T
                                travisdh1 @BRRABill
                                last edited by

                                @BRRABill said:

                                @scottalanmiller said:

                                Remember that password complexity is a myth. It's complex to a human but the computer cannot tell. p@55w0rd and password are exactly the same to a computer - they are both easily guessable eight character passwords.

                                Is that true? Doesn't adding character sets make it harder to guess? Human interaction aside? I am just saying aaaaaaaa versus something random with punctuation would take longer to crack. Are you saying that is not the case?

                                Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.

                                BRRABillB 1 Reply Last reply Reply Quote 0
                                • brianlittlejohnB
                                  brianlittlejohn
                                  last edited by

                                  No matter what they say... length matters 😉

                                  travisdh1T 1 Reply Last reply Reply Quote 1
                                  • travisdh1T
                                    travisdh1 @brianlittlejohn
                                    last edited by

                                    @brianlittlejohn said:

                                    No matter what they say... length matters 😉

                                    Yes, I purposely went there. I'm heading home now, latter 😜

                                    1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @travisdh1
                                      last edited by

                                      @travisdh1 said:

                                      Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.

                                      I also agree with that.

                                      I am just saying isn't

                                      thisisalongpassword

                                      weaker than

                                      thisisa@longpassword

                                      DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @BRRABill
                                        last edited by

                                        @BRRABill said:

                                        @travisdh1 said:

                                        Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.

                                        I also agree with that.

                                        I am just saying isn't

                                        thisisalongpassword

                                        weaker than

                                        thisisa@longpassword

                                        Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd

                                        BRRABillB 1 Reply Last reply Reply Quote 0
                                        • BRRABillB
                                          BRRABill @Dashrender
                                          last edited by

                                          @Dashrender said:

                                          Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd

                                          I originally was questioning @scottalanmiller that

                                          password
                                          and
                                          P@ssw0rd

                                          are the same to a computer.

                                          Not arguing anything here. Agree with it all.

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            @Dashrender said:

                                            thisisalongpassword

                                            according to howsecureismypassword.com

                                            thisisalongpassword
                                            0_1458855493627_pass1.JPG

                                            and P@ssw0rd

                                            0_1458855525668_pass2.JPG

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 10
                                            • 11
                                            • 2 / 11
                                            • First post
                                              Last post