ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Password Complexity, Good or bad?

    IT Discussion
    12
    202
    37.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @JaredBusch
      last edited by

      @JaredBusch said:

      Every single bad implementation that is out there is not some company trying to maliciously sabotage themselves as you always imply Scott.

      But most are, which you soundly reject. You forget that malice includes being willing to not do a good job for personal gain. It doesn't mean that they hate the company and want to hurt them, just that protecting them as they are paid to do isn't taken seriously and risk is incurred from doing so.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

        • Basic IT or computer or mathematical knowledge would mean that teaching something wrong like this would not matter. It's obviously wrong.
        • Learning security by rote is fundamentally wrong. If someone is trying to be an advisor and doesn't understand what they are doing, that's not good security. Even if they were taught wrong, it is their responsibility to understand the factors which would make this very obviously not secure.
        • Not putting in the necessary care for which you are entrusted is called professional negligence and is a form of malice. It's just for personal gain - to get a paycheck for a job you are not qualified to do. But it is a real thing. When paid as a professional advisor you take on a responsibility - and if you can't do that job, admitting it is part of that. This isn't getting a time frame wrong or not being able to complete a product but putting a business at risk not through something missed but through an intentional action that is harmful (through risk.)
        • Not taking care to choose good education and mentorships falls to the actioner as well. This is hard, but just trusting others who are not capable doesn't remove all culpability.
        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          The big issue here is that this is security related, not ease of use or something like that. We assume that someone was paid to secure the company and instead of securing it, they actively made it less secure than it would have been by default. It's actually worse than if they had done nothing.

          1 Reply Last reply Reply Quote 1
          • JaredBuschJ
            JaredBusch @scottalanmiller
            last edited by

            @scottalanmiller said:

            The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

            It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

            Let alone getting into anyone outside of IT.

            scottalanmillerS travisdh1T 2 Replies Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @JaredBusch
              last edited by

              @JaredBusch said:

              It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

              Let alone getting into anyone outside of IT.

              Perhaps that is true. But it is setting an insanely low bar for IT. What's the first thing you learn about security? Well, that's never run as the admin. And the second is to never share accounts. But this still very basic stuff. Maybe you can excuse a first time help desker with never thinking about or learning how computers work (maybe, I'd have to consider that) but for a security decision maker?

              DashrenderD 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                And yes, I realise that sadly the bar for what people consider IT is insanely low. And that's why I only said that we should consider motivations, not take legal action. If this was from a firm advertising its security expertise, I would definitely recommend legal action, at the very least to get all audit costs, mitigation costs and payments returned.

                If it turns out that they were just hiring some high school kid to run their IT and provided no training and required no training and were not paying for any expertise, then it is, to some degree, excusable. Not a "ah this happens to everyone" level of excuse, but enough that they should just be required to take some basic computer and security training.

                As we don't know who implemented this, we don't know the scope of the issue. But there is every chance that this was an MSP claiming that they knew what they were doing rather than someone's nephew trying to "help out" without proper basic security training.

                1 Reply Last reply Reply Quote 1
                • travisdh1T
                  travisdh1 @JaredBusch
                  last edited by

                  @JaredBusch said:

                  @scottalanmiller said:

                  The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

                  It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                  Let alone getting into anyone outside of IT.

                  Very sad that it's true.

                  Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.

                  crustachioC DashrenderD 2 Replies Last reply Reply Quote 1
                  • crustachioC
                    crustachio @travisdh1
                    last edited by

                    @travisdh1 said:

                    @JaredBusch said:

                    @scottalanmiller said:

                    The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

                    It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                    Let alone getting into anyone outside of IT.

                    Very sad that it's true.

                    Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.

                    But I got this thing free in a cereal box!

                    1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      @JaredBusch said:

                      It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                      Let alone getting into anyone outside of IT.

                      Perhaps that is true. But it is setting an insanely low bar for IT. What's the first thing you learn about security? Well, that's never run as the admin. And the second is to never share accounts. But this still very basic stuff. Maybe you can excuse a first time help desker with never thinking about or learning how computers work (maybe, I'd have to consider that) but for a security decision maker?

                      Well, are we talking about paid security decision maker or are we talking about typical IT? Granted there should be some basic knowledge - but you speak of first thing you learn? Don't run as admin - LOL I certainly didn't learn that first, or second or even top 100. This wasn't a concept to me until well after Windows 2000 came out.

                      I suppose if you grew up on the Linux or any Nix side of the house that might have been different - but hell, it's pretty easy to run as root if you just want to in a lot of cases.

                      I started in DOS, upgrade to Win3.x - Win9x, jumped over to Win NT 3.5, 3.51 and 4.0 (learned about admin and general security) but still - running as non admin wasn't done by me or anyone around me. When the company I worked for at the time deployed Windows 2000, that was the first real time it was a thing - not running as an admin.

                      So to that end - the idea that a smaller complex password is not as secure as a longer though visually more simple password is easy to see why many (including IT people) wouldn't innately pick this up. Toss in the fact that how you show that a longer though visually more simple password offers better protection involves math - Most people hate dealing with math, again IT people are no exception. Tons of IT people can't figure out Subnets, don't understand the use of Binary to find same networks, etc... so when you're talking about complexity and you bring math to explain why longer is better - their eyes just glaze over.

                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                      • DashrenderD
                        Dashrender @travisdh1
                        last edited by

                        @travisdh1 said:

                        @JaredBusch said:

                        @scottalanmiller said:

                        The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.

                        It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.

                        Let alone getting into anyone outside of IT.

                        Very sad that it's true.

                        Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.

                        This is proven every day with all the exploits that are discovered.

                        Hell Apple's iMessage has a flaw in it - one that can't be fixed without whole sale replacing the current system, so yet another gaping whole that will just be left to rot.

                        1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said:

                          Well, are we talking about paid security decision maker or are we talking about typical IT?

                          Well, while we can't guarantee it, this is a company and we should assume that someone was getting paid to make security decisions. So to some degree these two are one and the same.

                          1 Reply Last reply Reply Quote 1
                          • BRRABillB
                            BRRABill @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            Remember that password complexity is a myth. It's complex to a human but the computer cannot tell. p@55w0rd and password are exactly the same to a computer - they are both easily guessable eight character passwords.

                            Is that true? Doesn't adding character sets make it harder to guess? Human interaction aside? I am just saying aaaaaaaa versus something random with punctuation would take longer to crack. Are you saying that is not the case?

                            travisdh1T 1 Reply Last reply Reply Quote 0
                            • travisdh1T
                              travisdh1 @BRRABill
                              last edited by

                              @BRRABill said:

                              @scottalanmiller said:

                              Remember that password complexity is a myth. It's complex to a human but the computer cannot tell. p@55w0rd and password are exactly the same to a computer - they are both easily guessable eight character passwords.

                              Is that true? Doesn't adding character sets make it harder to guess? Human interaction aside? I am just saying aaaaaaaa versus something random with punctuation would take longer to crack. Are you saying that is not the case?

                              Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.

                              BRRABillB 1 Reply Last reply Reply Quote 0
                              • brianlittlejohnB
                                brianlittlejohn
                                last edited by

                                No matter what they say... length matters 😉

                                travisdh1T 1 Reply Last reply Reply Quote 1
                                • travisdh1T
                                  travisdh1 @brianlittlejohn
                                  last edited by

                                  @brianlittlejohn said:

                                  No matter what they say... length matters 😉

                                  Yes, I purposely went there. I'm heading home now, latter 😜

                                  1 Reply Last reply Reply Quote 0
                                  • BRRABillB
                                    BRRABill @travisdh1
                                    last edited by

                                    @travisdh1 said:

                                    Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.

                                    I also agree with that.

                                    I am just saying isn't

                                    thisisalongpassword

                                    weaker than

                                    thisisa@longpassword

                                    DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @BRRABill
                                      last edited by

                                      @BRRABill said:

                                      @travisdh1 said:

                                      Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.

                                      I also agree with that.

                                      I am just saying isn't

                                      thisisalongpassword

                                      weaker than

                                      thisisa@longpassword

                                      Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd

                                      BRRABillB 1 Reply Last reply Reply Quote 0
                                      • BRRABillB
                                        BRRABill @Dashrender
                                        last edited by

                                        @Dashrender said:

                                        Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd

                                        I originally was questioning @scottalanmiller that

                                        password
                                        and
                                        P@ssw0rd

                                        are the same to a computer.

                                        Not arguing anything here. Agree with it all.

                                        DashrenderD 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender
                                          last edited by

                                          @Dashrender said:

                                          thisisalongpassword

                                          according to howsecureismypassword.com

                                          thisisalongpassword
                                          0_1458855493627_pass1.JPG

                                          and P@ssw0rd

                                          0_1458855525668_pass2.JPG

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @BRRABill
                                            last edited by

                                            @BRRABill said:

                                            @Dashrender said:

                                            Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd

                                            I originally was questioning @scottalanmiller that

                                            password
                                            and
                                            P@ssw0rd

                                            are the same to a computer.

                                            Not arguing anything here. Agree with it all.

                                            He was over simplifying it, sure. But both would be in a pre defined dictionary which would take seconds to crack so he does have that on his side.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 10
                                            • 11
                                            • 2 / 11
                                            • First post
                                              Last post