- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
July 25, 2006 | Comments: (0)
Comments on my Password Length column
I've received nearly a 100 emails regarding my password length column.
I'll post the most interesting ones.
------------------
Hi Roger,
While there are a lot of arguments about length vs. style, and you
should hear lots of them, here's the issue for most public corporations:
Password complexity, uniqueness-over-time, etc. are determined by
whatever auditor was hired for Sarbanes-Oxley compliance. As long as we follow the recommendation of this, probably security-inexperienced (at least at first) auditor, the top managers stay out of jail. On the other hand, if we followed your thinking, and got hacked (because a user can't remember a 31-character password, one of several that change every 90 days or so), the top managers may go to jail.
I guess it's corporate security vs. the management's personal security.
I think I'd choose the same way most companies do.
Regards,
Jim Hendrickson
----------------
Posted by Roger Grimes on July 25, 2006 05:12 PM
RATE THIS ARTICLE:
-
- COMMENTS
