Choosing passwords

On November 13, 2004, in Security, by

So I’m building my new baby [umm server] and I get to the part where you have to enter the password and because this is a HP machine that I”ve used the HP setup wizard on [yup just seeing how this will go] and I’ve set up a password on the HP web admin AND a password on the Windows part.  I was just up in Redmond and one of the presentations given to us was on Passwords. 


The background can be found here, here and here.


So I purposely chose a longer than 14 character password for the Administrator account.  I made sure that it following the rule of complexity, This is the admin’s account and I wanted to make sure that sucker was long and complex.  The admin’s account is a target and you really shouldn’t be logging into your server on a regular basis like this anyway so set it up right.  There’s a listing on this page of the most common passwords used.  Make sure yours is not on there for a start.


Next it was interesting to find another password on this machine I wasn’t expecting.  This model has an integrated lights out model and IT has a password.  Me, being the paranoid person that I am made sure that I checked Secunia’s web site for public vulnerabilities.  See what going to a Microsoft Security Summit has done to my paranoia level?  Definitely knocked it up a notch …or two… or three. 


I know that I“m also looking forwarded to checking out the RSA secure offerings for small businesses.  At the summit, the point was also made that the problem with biometrics was once they were “compromised“ it wasn’t easy to reissue a new one.  Thus secondary authentication with a physical device was actually, in the long run, better than “who you are“.  Remember the forms of authentication?  What you know [passwords], what you have [smart cards], who you are [biometrics].


I’m also reminded of the bogus security issue about blank passwords that was posted to a security list.  That may not be a bad thing as is stated here:


“Remote users cannot authenticate by using an account that has a blank password. This authentication is configured separately.“


Ever notice how one person’s best practice is another person’s idea of a dumb thing to do?  I keep getting the feeling these days that following “best” isn’t good enough.  Doing your own risk analysis is the right thing to do.

 

Comments are closed.