Sunday, January 13, 2008

Changing password considered harmful for your health

When did you last change your car keys?
When did you last change your house keys?

Why do you want people to change their passwords?
Your house keys and car keys asset wise are more valuable than your password, unless you are over 50 yrs old, at which point changing anything is pointless.

My point. People don't like change. Don't ask them to change their password.
A password is just a to deter someone from attempting to do something malicious.
Instead apply server side changes to detect malicious activity or put compensating controls so the user is not hurt. There are options, try them first.

Most people end up using 3-4 passwords for pretty much everything. Remember 4+-3 is the magic number of things you can remember, this applies to passwords as well.

Welcome to fusec

My goal of this blog is promote the fundamental changes in computer security by applying a business viewpoint. The goal is to get rid of some of the common practices that exist within the industry as most people have started "quoting" web sites in their decision making.
Why fusec? In honor of Fubar (Foobar).