hayabusa wrote:You're absolutely right. But I think you're a bit harsh on the rebuttal, towards j0rDy, El33tsamurai. I don't think he intended it quite the way you took it. By enforce it, I'm certain he meant having systems and policies, in place, to not allow 'weak passwords'
That said, this is exactly why both companies and govt agencies, alike, need better security postures, and training, guided by folks who do understand the in's and out's of 'real' security.
you are right hayabusa, thats exactly how i mean it. a security awareness training once a year wont hurt anyone, and by implementing policies and guidelines along with applications that just dont allow weak passwords (when you enter one you will get a message that the password is too weak and you have to choose another one) might be considered annoying, but giving the news items lately it has become mandatory to do so.
if you look at recent developments on password cracking, depending on the cracking and hashing method, an eight character password containing all possible characters takes about a day if you have "just" a high end workstation. after that it becomes significant longer (nine takes about a week and ten takes 20 years or something), so if you want to protect valuable information, i think you know what to do.
Hey man I am sorry if I came off harsh, also on this note I think security awareness should be going on all the time. Should have posters made and put up all over the place ie:http://www.infosecuritylab.com/index.php?page=9
This will make people smile as they walk by and more likely to remember the message. Have the positions changes once a month so the same people are looking at different posters all the time. Have a security intranet website or newsletter where the people can go and get updates about info sec. Give away things like pens, mugs, mouse pads, ect if the budge allows for it to people that are security conscience. Then have trainings once every 6 months or year, but make it fun so people will want to come not just a power point and lecture. The more fun you make it the more people will want to do it.
CCENT, A+, Network+, Security+