[Discuss] deadmanish login?
Kent Borg
kentborg at borg.org
Tue Jan 31 08:48:37 EST 2017
On 01/31/2017 08:23 AM, Grant NAPC wrote:
> I agree with Kent, although I do believe you should rotate your
> password at some reasonable interval. We do enforce password rotation
> and a mix of alphanumeric/symbols at my company.
Here is an idea: Don't let users set their own passwords. That way you
can be sure you aren't being fed that user's Ashley Madison or Yahoo
password. This won't prevent password reuse in the other direction,
unfortunately.
"15-ladder-bamboo-sierra" is an easy password to remember and type, yet
it has 40-bits of entropy. Even if some bizarrely configured sshd
allowed 1000-attempts per second (which they don't) it would still take
over 18-years to try half the combinations.
02-alex-smile-metro, 5b-mile-sleep-school, ea-mercy-copy-pizza...
-kb
More information about the Discuss
mailing list