Coalminer22 Posted January 16, 2014 Posted January 16, 2014 The safe length of a password keeps growing, and we are considering possible increasing length by one every year till probably infinity as computers keep getting more powerful at cracking passwords. If users can't remember passwords they will form have bad habits like writing them down... ...Long term this seems like a losing strategy - I can't be the only one thinking this, so what are other people doing? First rule of Security: It has to be usable or security won't be used. Second rule of Security: there are no rules.. lol So anyways back on topic personally I like the idea of moving strait to a 24 charter password today with an added login option for two factor where the user only needs a token of some type and short pin. What are others using, and what works? (what doesn't work) Target: Citrix Desktops, Laptops, and iPhone Thoughts: Leverage existing proximity cards Fingerprint scanners Iris Scanners ($$) Smart Card Readers RSA - currently we have RSA in limited use, but it seems unproductive to wait for token then enter it in, a faster and easier user experience would be more ideal Price, cheaper solutions are obviously easier to sell, but usability and security are more important Quote
awskier08 Posted January 16, 2014 Posted January 16, 2014 username = random digits password = password + RSA Quote
spiky3mike Posted February 6, 2014 Posted February 6, 2014 why not use memory sticks and a bit of software, when the user leaves the machine they unplug the stick which locks it and when they return they just simply reinsert the stick back into the machine. now this may not work if you have have removable devices disabled by a group policy. This is just only idea to bounce of you, but it is a good question Quote
jaguiar Posted February 26, 2014 Posted February 26, 2014 Hi Hackling, Ah, the dreaded "more security = less security" dilemna has plagued us IT guys for decades. Two factor authentication is definitely the right path but you have to keep it simple or else it won't be used (or as you said, written down, aaahhh). I have found that if my users can just remember one solid password and use Lastpass with a Yubikey, their lives (as well as mine) can be a better one :) . Now, certain timeout adjustments should be made to the Lastpass settings depending on the user (ie, if the user doesn't touch the keyboard for X minutes, Lastpass automatically logs them out and they have to perform the TFA again). I've been using Lastpass with Yubikey for some time now and am very happy with the results. Those few times that I leave my Yubikey at home really show me how secure my passwords really are. I hope this reply helps you! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.