Log in
Register
What's new
Search
Search
Search titles only
By:
Menu
Log in
Register
What's new
Search
Search
Search titles only
By:
Forums
Tutorials
About
Rules
What's New
Driver Reference Table
Donate
Search titles only
By:
Latest activity
Register
Relaxation and Information Center
News You Can Use
Security News
How long your password needs to be to really thwart hackers
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="cluberti" data-source="post: 48326" data-attributes="member: 39"><p>The best way is to use hardware as part of the hash (like smart cards or RSA keys) to keep them more secure. However, with attacks in the vein of pass the hash, for instance, if an attacker can get on the network and sniff for awhile he or she doesn't even really need your password anymore. Focusing on secure passwords is, in my opinion, no longer a wise thing to really focus on as intently as one may have 10 years ago. Secure endpoint traffic with IPsec and implement hardware tokens and your network will be far more secure than simply implementing 11 or more char passwords, in all honesty. Hacking has moved past the password, and I think it's time net admins started realizing this and doing more to protect the network itself, where most environments are still sorely lacking. We call those candy-bar networks - crunchy and hard on the outside, but chewy and easy to get through once you're inside. I'm not saying using simple passwords is OK, but I find a lot of security folks who just make password complexity difficult and buy products to scan and encrypt endpoints, when the real vulnerabilities lie between them. Also, tokens or smart cards implement multiple layers of good security - what you have (token/card) and what you know, and without both the password or token granting access itself is much more difficult to gain. That doesn't mitigate things like hash attacks though, which is why candy-bar networks are still the problem, and stronger passwords do nothing to mitigate more advanced attacks.</p></blockquote><p></p>
[QUOTE="cluberti, post: 48326, member: 39"] The best way is to use hardware as part of the hash (like smart cards or RSA keys) to keep them more secure. However, with attacks in the vein of pass the hash, for instance, if an attacker can get on the network and sniff for awhile he or she doesn't even really need your password anymore. Focusing on secure passwords is, in my opinion, no longer a wise thing to really focus on as intently as one may have 10 years ago. Secure endpoint traffic with IPsec and implement hardware tokens and your network will be far more secure than simply implementing 11 or more char passwords, in all honesty. Hacking has moved past the password, and I think it's time net admins started realizing this and doing more to protect the network itself, where most environments are still sorely lacking. We call those candy-bar networks - crunchy and hard on the outside, but chewy and easy to get through once you're inside. I'm not saying using simple passwords is OK, but I find a lot of security folks who just make password complexity difficult and buy products to scan and encrypt endpoints, when the real vulnerabilities lie between them. Also, tokens or smart cards implement multiple layers of good security - what you have (token/card) and what you know, and without both the password or token granting access itself is much more difficult to gain. That doesn't mitigate things like hash attacks though, which is why candy-bar networks are still the problem, and stronger passwords do nothing to mitigate more advanced attacks. [/QUOTE]
Insert quotes...
Verification
Post reply
Relaxation and Information Center
News You Can Use
Security News
How long your password needs to be to really thwart hackers
Menu
Log in
Register
Top
