The level of password strength required depends, in part, on how easy it is for an attacker to submit multiple guesses. Some systems limit the number of times a user can enter an incorrect password before some delay is imposed or the account is frozen. At the other extreme, some systems make available a specially hashed version of the password so anyone can check its validity. When this is done, an attacker can try passwords very rapidly and much stronger passwords are necessary for reasonable security. (See password cracking and password length equation.) Stricter requirements are also appropriate for accounts with higher privileges, such as root or system administrator accounts.
Usability considerations
Password policies are usually a tradeoff between theoretical security and the practicalities of human behavior. For example:
- Requiring excessively complex passwords and forcing them to be changed frequently can cause users to write passwords down in places that are easy for an intruder to find, such as a Rolodex or post-it note near the computer.
- Users often have dozens of passwords to manage. It may be more realistic to recommend a single password be used for all low security applications, such as reading on-line newspapers and accessing entertainment web sites.
- Similarly, demanding that users never write down their passwords may be unrealistic and lead users to choose weak ones. An alternative is to suggest keeping written passwords in a secure place, such as a safe or an encrypted master file. The validity of this approach depends on what the most likely threat is deemed to be. While writing down a password may be problematic if potential attackers have access to the secure store, if the threat is primarily remote attackers who do not have access to the store, it can be a very secure method.
- Inclusion of special characters can be a problem if a user has to logon a computer in a different country. Some special characters may be difficult or impossible to find on keyboards designed for another language.
- Some identity management systems allow Self Service Password Reset, where users can bypass password security by supplying an answer to one or more security questions such as "where were you born?," "what's you favorite movie?," etc. Often the answers to these questions can easily be obtained by social engineering, phishing or simple research.
Other approaches are available that are generally considered to be more secure than simple passwords. These include use of a security token or one-time password system, such as S/Key.
I want to share some thing about Online e-mail Support, email error support, Outlook Support and Computer Help
No comments:
Post a Comment