Does password best practice really improve security. IT Security staff the world over advise their organisations to use complicated mixed case passwords we then require these passwords to be changed every 30 days. This means that staff either write them down or call the help desk to get them reset. Most large organsations have Intrusion Lockout enabled so that the individual has 3 or 4 attempts to login and then their account is locked, this effectively mitigates the brute force attack risk. (I am aware that password files can be captured and brute force attacks be run against those files but that type of high knowledge attack isn't what we are attempt to prevent with password guidance). Where there is no Intrusion Lockout passwords do need to be complicated, however is it really necessary that we have 10 character passwords with mixed case and special characters, that change every 30 days and just for good measure if you type it in wrongly three times we are going to lock you out. This just forces the individual to write the password down in a handy place. The end result is that our "best advice" actually increases our security risk.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/245/26473#26473