Reply to post:

Stop resetting your passwords, says UK govt's spy network

0laf Silver badge

I'm quite happy to tell user to write down their passwords and store them in their wallet/purse. Just don't write down the whole password. Pick a character (£$%*& etc) shove that in there and remember where but don't write that bit in.

Generally people take reasonable care of wallets and purses and even if it gets lost the restricted number of attempts will foil anyone trying to guess the password manually.

Myself I build passwords from [word1][date of reset][word2]

That followed on from a conversation with a pen tester where he outlined that it was very easy to break password hashes where a dictionary word had a number at the end.

Breaking up a word or two words with a number or symbol made it far harder to crack.

The advice from CESG follows the GDS mindset which is to place responsibility on end users. i.e. here you trust them by not enforcing password resets.

But you are trustubng them to choose strong passwords, to care for those passwords and to monitor users within your environment.

Reality is that a significant number of users are lazy shits that don't give a toss and will happily have crap passwords that don't change, write them down everywhere and the management will refuse to pay for the product or person needed to monitor users.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019