From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OjKL7-0005f5-S3 for garchives@archives.gentoo.org; Wed, 11 Aug 2010 23:04:06 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1E635E09FB for ; Wed, 11 Aug 2010 23:04:05 +0000 (UTC) Received: from mail-pv0-f181.google.com (mail-pv0-f181.google.com [74.125.83.181]) by pigeon.gentoo.org (Postfix) with ESMTP id F18F8E0893 for ; Wed, 11 Aug 2010 22:11:14 +0000 (UTC) Received: by pvg16 with SMTP id 16so294671pvg.40 for ; Wed, 11 Aug 2010 15:11:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=fBM3EcF2wWlCHIujUqv5oq5j+mWM7rSNmcFE6YFqxho=; b=VQ+KrQsHPe475ChmeoG/gPN7dcrs53Jv/tPVSwiNeZ+nYGgb2o469Sn0Ocu9ETA2t2 1ygY7FuEYdhht6VQDy3kV77hwYdhdxbJz1/oC4PizH7Y+PYA1jJg1j6BvYbOUuTkyZ6b 3qyRBONu3M5GESEz5+ZKeOIQg5UB6EPDxhqFs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=et03N2AuFdLK1CxP46fJClO9JFljMayaGUaojJSLWqcMkUYCy3Yw9PZhvdNg9eUHTn GC9cMZvVtzpA45fpF5012G2dgrSSOo9zvMP9VbuNK3ClRFxz5uhHZItqP3scqcDvW/Ta Hkhy8mfvSAdKcaeHL1YGI2dU32nWfaMTyjeIw= Received: by 10.114.67.11 with SMTP id p11mr22607871waa.170.1281564674523; Wed, 11 Aug 2010 15:11:14 -0700 (PDT) Received: from [192.168.0.12] ([209.20.133.224]) by mx.google.com with ESMTPS id c10sm983844wam.1.2010.08.11.15.11.13 (version=SSLv3 cipher=RC4-MD5); Wed, 11 Aug 2010 15:11:13 -0700 (PDT) Message-ID: <4C632000.7020800@gmail.com> Date: Wed, 11 Aug 2010 15:11:12 -0700 From: Bill Longman User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100727 Thunderbird/3.1.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords References: <4C62E90A.20601@gmail.com> <201008112230.26977.alan.mckinnon@gmail.com> In-Reply-To: <201008112230.26977.alan.mckinnon@gmail.com> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: ba5b24db-5027-4119-889e-5480642439bb X-Archives-Hash: 3a7f25bba4925926325e4e99c47e3417 On 08/11/2010 01:30 PM, Alan McKinnon wrote: > I refuse to implement password expiration policies and have a vast array of > literature to back me up when some dimwit damager gets on his expiration high > horse. > > My users pick their own passwords - I present a list of 5 from apg and let > them pick one. Accounts do expire if they go unused for 90 days, but not > passwords. > > What put me onto this policy? I found Gartner recommending password > expiration. I find the best security possible is always the opposite of what > Gartner says. Discovering how the AD admins in the company go about their jobs > was the convincing straw :-) The bigger buggerboo I see is the "password complexity" [il]logic. There's this vapid requirement of all these different types of characters needed in one's password, yet the thing you really want to enforce is adequate entropy. If my password is an entire sentence, it will not be brute-forced, even if I used just ASCII A-z. There's just too much key space in 4.7^32. At 10^5 attempts per second, you're likely to find the answer in half a billion years. I hope your keyboard still works, let alone exists....