Re: Don't Just Blame Users
There was a time when lame passwords could be used to protect accounts for sites with mundane content.
Social engineering starts with the content and posts on mundane forums
But you don't need a password to slurp that information. On these very forums, so long as you can tie a user name to a real name (i.e. you are sure that the "John Smith" you are stalking is definitely "BigBiceps" online) all you have to do is click on that user name and , hey presto, a complete history of all their posts ever. No passwords involved. Easy to search.
On El Reg, having a password gets you into the "edit my details" bit which if you don't already have the real name and real email address will give you those details, and maybe others if they have been filled in.
I do not understand enforced weak password policies (as have been described above) but my personal beef is with enforced password change policies, at least those that mandate change too often. Regular enforced password changes drive ordinary people down the route of choosing easy to remember password sequences that just avoid tripping the system rules. I know of one system which has half sensible rules (>7 char, mixed case, special characters and digits mandated, no repetition of passwords) but then mandates changes every six weeks (could be worse, I suppose) which lead to a lot of people using passwords along the lines of "Pa$$word01" followed by "Pa$$word02".
A "strong" password is called that because it is unlikely to be in any rainbow tables, isn't in a dictionary, is difficult to guess, and difficult to brute-force. It doesn't become any more easy to guess over time, so why enforce such a short shelf-life? By all means change it occasionally, and definitely if there is any suspicion it's been compromised, but..
M.
Biting the hand that feeds IT
