I read this with some interest:
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
Don't you just hate those sites where they enforce a certain password >structure on you "for your own good" because they "know what is accepted >best practice".
Over the years I've had a few "to and fros" with some of these, my main >argument being that it is MY password, not theirs. I should be able to
make whatever I want and if it gets cracked, that is my problem.
(I never "won" any of these arguments because people who blindly follow
what someone says, without thinking about it or considering counter >arguments, simply don't have the imagination to be able to easily change >their practices and procedures once implemented. I don't even really
mind them not dong anything, it is the REASON they do nothing that bugs >me:"We implement our password policy in accordance with what are
considered industry best practices, sorry if you find it inconvenient.")
Even if you made a powerful argument for NOT doing it, they STILL won't >change it.
(BTW, if you register on the PRIMA site we make NO effort to enforce a >password structure on you and you can have whatever you want. It is YOUR >password. You can also change it and unregister yourself easily from our >site. The code that drives this was written from scratch, by me, and so >there is no "standard package javascript login". It does mean that you >should READ any comments which might appear so the process will succeed...)
It's good to see an article that vindicates what I have believed for a >number of years, but don't expect any sites to be changing their login >policy any time soon.
I read this with some interest:
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
Don't you just hate those sites where they enforce a certain password >structure on you "for your own good" because they "know what is accepted >best practice".
Over the years I've had a few "to and fros" with some of these, my main >argument being that it is MY password, not theirs. I should be able to
make whatever I want and if it gets cracked, that is my problem.
On Wed, 9 Aug 2017 11:36:51 +1200, pete dashwood
<dashwood@enternet.co.nz> wrote:
I read this with some interest:
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
Don't you just hate those sites where they enforce a certain password
structure on you "for your own good" because they "know what is accepted
best practice".
Over the years I've had a few "to and fros" with some of these, my main
argument being that it is MY password, not theirs. I should be able to
make whatever I want and if it gets cracked, that is my problem.
(I never "won" any of these arguments because people who blindly follow
what someone says, without thinking about it or considering counter
arguments, simply don't have the imagination to be able to easily change
their practices and procedures once implemented. I don't even really
mind them not dong anything, it is the REASON they do nothing that bugs
me:"We implement our password policy in accordance with what are
considered industry best practices, sorry if you find it inconvenient.")
Even if you made a powerful argument for NOT doing it, they STILL won't
change it.
(BTW, if you register on the PRIMA site we make NO effort to enforce a
password structure on you and you can have whatever you want. It is YOUR
password. You can also change it and unregister yourself easily from our
site. The code that drives this was written from scratch, by me, and so
there is no "standard package javascript login". It does mean that you
should READ any comments which might appear so the process will succeed...)
It's good to see an article that vindicates what I have believed for a
number of years, but don't expect any sites to be changing their login
policy any time soon.
While I certainly agree than many of the password policies are silly,
and even counterproductive*. But that's not the same as suggesting
*no* requirements.
it's to *your* checking account, I have a major interest in it not
being compromised. You can claim that it'll be your problem if it's cracked, but it really won't work out that way in the end. So I don't
want you to make the password "pete" or your birthday. Even if just
to protect you from yourself. Plenty of people will chose *really*
bad passwords if you let them.
Again, I'm not saying that many of the policies in place aren't
stupid. And you want stupid? My bank started enforcing complexity requirements for *account names*. Yeah, so my bank signon now has a
two digit number attached to the account name. They actually made me
change it. This is one of the biggest banks in the world. *sigh*
*A few years ago I had to update the password generator for the
installation program for a Windows service in one of our products. The service ran under its own login, and that login was never intended to
be used by anyone directly, just to run the service (rights would be assigned to that user ID, etc.). So we used the Windows CS random
number generator to generate a 32 hex digit string for the password.
Of course we ended up with a customer for whom that failed the
complexity requirements, and where it was politically impossible to
override those for this installation. The generated passwords now
have exactly the same entropy, but the different positions get a
different set of 16 characters to use (position 1/6/11/16/etc. still
has 0-9,a-f, but 2/7/12/17/etc. uses g-u, etc.). The installation
program will now prompt the installer for a password if the random
generator fails a couple of times.
In article <euv09lF37ejU1@mid.individual.net>,
pete dashwood <dashwood@enternet.co.nz> wrote:
I read this with some interest:
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
Don't you just hate those sites where they enforce a certain password
structure on you "for your own good" because they "know what is accepted
best practice".
Over the years I've had a few "to and fros" with some of these, my main
argument being that it is MY password, not theirs. I should be able to
make whatever I want and if it gets cracked, that is my problem.
Whoever owns the swimming-pool gets to dictate the bathing-suit requirements... it may be your password, Mr Dashwood, but it is THEIR
system.
DD
On 9/08/2017 11:45 PM, docdwarf@panix.com wrote:
In article <euv09lF37ejU1@mid.individual.net>,I swim naked...wherever I legally can and without offending others.
pete dashwood <dashwood@enternet.co.nz> wrote:
I read this with some interest:
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
Don't you just hate those sites where they enforce a certain password
structure on you "for your own good" because they "know what is accepted >>> best practice".
Over the years I've had a few "to and fros" with some of these, my main
argument being that it is MY password, not theirs. I should be able to
make whatever I want and if it gets cracked, that is my problem.
Whoever owns the swimming-pool gets to dictate the bathing-suit
requirements... it may be your password, Mr Dashwood, but it is THEIR
system.
In article <ev2oclFt6cpU1@mid.individual.net>,
pete dashwood <dashwood@enternet.co.nz> wrote:
On 9/08/2017 11:45 PM, docdwarf@panix.com wrote:
In article <euv09lF37ejU1@mid.individual.net>,https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
pete dashwood <dashwood@enternet.co.nz> wrote:
I read this with some interest:
I swim naked...wherever I legally can and without offending others.
Don't you just hate those sites where they enforce a certain password
structure on you "for your own good" because they "know what is accepted >>>> best practice".
Over the years I've had a few "to and fros" with some of these, my main >>>> argument being that it is MY password, not theirs. I should be able to >>>> make whatever I want and if it gets cracked, that is my problem.
Whoever owns the swimming-pool gets to dictate the bathing-suit
requirements... it may be your password, Mr Dashwood, but it is THEIR
system.
Being told this enriches my life immeasurably. Permit me to respond in
kind:
Years ago a young woman asked me, with playful seriousness, 'What do you think of when you Q-tip your ears?'
(explanatory note: a Q-tip is a cotton swab which - despite strong
warnings from the manufacturer and countless paediatricians and sundry otologists - is used clean ears; in typical American fashion (kleenex, band-aid, post-it note) the brand name has become the generic... see also http://www.qtips.com/ )
I responded 'If I'm doing it just right I think 'This is the sensation
which is closest to sex without actually doing it'.'
Sysop: | DaiTengu |
---|---|
Location: | Appleton, WI |
Users: | 1,004 |
Nodes: | 10 (0 / 10) |
Uptime: | 222:11:00 |
Calls: | 13,080 |
Calls today: | 1 |
Files: | 186,574 |
Messages: | 3,300,370 |