On Wed, July 29, 2015 4:16 pm, Chris Murphy wrote: > On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com> wrote: >> Just because one particular method of prophylaxis fails to protect >> against all threats doesn’t mean we should stop using it, or increase >> its strength. > > Actually it does.There is no more obvious head butting than with > strong passwords vs usability. Strong login passwords and usability > are diametrically opposed. > > The rate of brute force attack success is exceeding that of human > ability (and interest) to remember ever longer more complex passwords. > I just fired my ISP because of the asininity of setting a 180 > compulsory expiration on passwords. > > Now I use Google. They offer MFA opt in. And now I'm more secure than > I was with the myopic ISP. "More secure" only to the level one can trust google ;-) Just my $0.02 Valeri > > Apple and Microsoft (and likely others) have been working to deprecate > login passwords for years - obviously they're not ready to flip the > switch over yet, it isn't an easy problem to solve, but part of why > they haven't had more urgency is because they are doing a lot of work > on peripheral defenses that obviate, to pretty good degree, the need > for strong passwords, relegating the login password to something like > "big sky theory" - it's safe enough to tolerate very weak passwords > in most use cases. The highest risk, by a lot, is from a family > member. > > I'm not arguing directly against strong passwords as much as I'm > arguing against already unacceptable usability problems resulting from > stronger password policies, because it doesn't scale. Making policies > opt out let alone compulsory is unacceptable. Even as the policies > get stronger people's trust in password efficacy relating to security > continues to diminish. > > > -- > Chris Murphy > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++