Microsoft put out a nice paper (pdf) last week countering many of the common password authentication best practices. The main point is that we need to stop blaming users for choosing dumb passwords (they just don’t care) and instead beef up our defenses against password based attacks. The last paragraph pretty much sums up what we as an industry need to start doing.

Preventing, detecting and recovering from offline attacks must be administrative priorities, if the burden is not to be met with user effort. It is of prime importance to ensure that password files do not leak (or have content such that leaks are harmless), that any leak can be quickly detected, and that an incident response plan allows system-wide forced password resets if and when needed. Next, and of arguably equal importance, is protecting against online attacks by limiting the number of online guesses that can be made (e.g., by throttling or lockouts) and precluding the most common passwords (e.g., by password blacklists). Salting and iterated hashing are of course expected, using standardized adaptive password hashing functions or related MACs.

But if you want password advice to pass along from me, I recommend a good password manager that allows users to generate different random passwords for all the sites they use. Of course come up with one mother-load of a master password combined with some two-factor option if offered. And à la Bruce Schneier’s advice years ago … write the one complex master password down (with some characters transposed in an easily remembered way) and store them in your wallet or purse.

#####

Today’s post pic is from BlogSpot.com. See ya!

Please Share > Twitter

Facebook

LinkedIn

Google

More

Reddit

Tumblr



Email

Print



