[lug] Application Password Security

Bear Giles bgiles at coyotesong.com
Mon Jun 20 18:29:43 MDT 2016

That's from 2010. There are a few big differences:

1. We have OAUTH. Pretty much all non-commercial sites should just deter to
Facebook, Google, and perhaps one or two other sites. Not Facebook alone -
not everyone wants Every. Single. Thing. they do online tracked. Do that
and a lot of password headaches go away.

2. We have MFA for sites that want higher security. There's a standard
protocol implemented by Google Authenticator and other phone apps and
hardware dongles. Any site that needs real security should make this an
option. It's not as important that the passwords themselves be rock solid.

3. The banks have demonstrated some other MFA approaches. For instance you
have to respond to an SMS message to a registered phone number. Once you've
done this you have the option to "remember this computer" and the bank will
give you a longer-lived cookie but you always have the option of disabling
it and requiring the message.  (There are also things like asking the user
if they recognize an image or phrase - that's a good way to do mutual

Put them together and the need to change passwords is reduced since it's no
longer the only factor.

On the other hand some groups mandate password strength and validity
periods. E.g., I think if any part of your organization follows PCI-DSS
(for credit card info) then everyone has to follow those rules. Security is
only as strong as the weakest link and all that.

On Mon, Jun 20, 2016 at 5:53 PM, Rob Nagler <nagler at bivio.biz> wrote:

> FWIW, here's what Schneier has to say about password changing:
> https://www.schneier.com/blog/archives/2010/11/changing_passwo.html
> Rob
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20160620/14bfb67a/attachment.html>

More information about the LUG mailing list