Where thin, there breaks
It is no secret that the person who works with this system and its often incorrect actions are the bottleneck in the system security. The lion's share of cases of “hacking” of super-secure systems is the use by an intruder of your password to access the system.
Today we will talk about how system administrators can dramatically reduce the security of the system through additional concerns about its security.
We have already written that the human brain and memory are unique substances, but with a number of significant limitations and shortcomings. These disadvantages include a very limited amount of complex structured nonassociative information that a person can remember - good phone numbers can be good examples of such information (without any reference to letters, as is done in the USA) and many meaningless passwords to various systems that need to be constantly kept in mind.
')
The situation is further complicated by the fact that the administrators simply establish an inhuman security policy, which obliges the user to compose a password of at least 9 characters, change it every three months + plus everything, ATTENTION !, you must enter a password that does not look like 10 (ten!) Previous .
What do we have as a result of such an excellent policy? That's right: people write passwords anywhere, in order to remember them. Those support services receive approximate calls: “I forgot the password, please send it to me.” Then everything goes in a circle - do you get a new meaningless password and either write it on your hand (and how to remember “5_Aars $ dfg5NRTd” ??? ), or you want to replace it and return to the original problem. I met quite a few people who, having several plastic cards and using them twice a month, write down PIN codes almost on the card itself!
You can understand the problems of banking networks and the situation 1 card = 1 unique PIN, but why complicate the life of an ordinary user who starts his working day by entering the domain?
Let me formulate a couple of rules, the application of which allows you not to bring the process of improving the security of the system to idiocy:
1) a regular password change is an action that increases access security by a fraction of a percent, while having a very negative effect. Based on this, it is necessary to build a policy - a shift should be no more than once every 4-6 months. In this case, the user can refuse to change the password at any particular time. That is, the system only offers him to do it.
2) if the user wants to change the password, do not prevent him from entering a similar password. In extreme cases, you can indicate that this password is similar to the previous one with a request to enter a new one.
3) it is not necessary to include mandatory groups in the password alphabet: spec. signs, spec. characters and capital letters. It is quite enough letters and numbers, if the user wants to complicate the password, he will make it, be sure of it.
4) well, and most recently - the length of the password. Studies show that six characters is enough to generate a burglar-proof password. You can use a simple hint system that will indicate to the user that his password is too easy to hack. The blessing modern technologies for a web (Ajax, for example) allow to make it elegantly. About desktop applications generally keep quiet.
Here is an example from Google Apps:
Today we will talk about how system administrators can dramatically reduce the security of the system through additional concerns about its security.
We have already written that the human brain and memory are unique substances, but with a number of significant limitations and shortcomings. These disadvantages include a very limited amount of complex structured nonassociative information that a person can remember - good phone numbers can be good examples of such information (without any reference to letters, as is done in the USA) and many meaningless passwords to various systems that need to be constantly kept in mind.
')
The situation is further complicated by the fact that the administrators simply establish an inhuman security policy, which obliges the user to compose a password of at least 9 characters, change it every three months + plus everything, ATTENTION !, you must enter a password that does not look like 10 (ten!) Previous .
What do we have as a result of such an excellent policy? That's right: people write passwords anywhere, in order to remember them. Those support services receive approximate calls: “I forgot the password, please send it to me.” Then everything goes in a circle - do you get a new meaningless password and either write it on your hand (and how to remember “5_Aars $ dfg5NRTd” ??? ), or you want to replace it and return to the original problem. I met quite a few people who, having several plastic cards and using them twice a month, write down PIN codes almost on the card itself!
You can understand the problems of banking networks and the situation 1 card = 1 unique PIN, but why complicate the life of an ordinary user who starts his working day by entering the domain?
Let me formulate a couple of rules, the application of which allows you not to bring the process of improving the security of the system to idiocy:
1) a regular password change is an action that increases access security by a fraction of a percent, while having a very negative effect. Based on this, it is necessary to build a policy - a shift should be no more than once every 4-6 months. In this case, the user can refuse to change the password at any particular time. That is, the system only offers him to do it.
2) if the user wants to change the password, do not prevent him from entering a similar password. In extreme cases, you can indicate that this password is similar to the previous one with a request to enter a new one.
3) it is not necessary to include mandatory groups in the password alphabet: spec. signs, spec. characters and capital letters. It is quite enough letters and numbers, if the user wants to complicate the password, he will make it, be sure of it.
4) well, and most recently - the length of the password. Studies show that six characters is enough to generate a burglar-proof password. You can use a simple hint system that will indicate to the user that his password is too easy to hack. The blessing modern technologies for a web (Ajax, for example) allow to make it elegantly. About desktop applications generally keep quiet.
Here is an example from Google Apps:
Source: https://habr.com/ru/post/3799/
All Articles