http://tonyandrewmeyer.com/tags/policy/Recent content in Policy on Tony Andrew MeyerHugoen-nzTue, 03 May 2011 20:04:11 +1200http://tonyandrewmeyer.com/2011/05/03/why-3-tries-and-youre-locked-weakens-security/Tue, 03 May 2011 20:04:11 +1200http://tonyandrewmeyer.com/2011/05/03/why-3-tries-and-youre-locked-weakens-security/<p><a href="http://northtec.ac.nz">Some organisations</a> have a security policy that after three failed authentication attempts an account is locked (requiring manual unlocking by an IT support person) - the goal is to strengthen security, but this actually <em>decreases</em> the security of the organisation. The intent of a policy like this is to prevent brute-force attacks - if you&rsquo;re limited to three attempts per account before intervention by a human is required, then brute-forcing an account is no longer practical.  However, there are better ways of preventing a brute-force attack, for example:</p>http://tonyandrewmeyer.com/2008/04/04/massey-university-out-of-touch-with-the-real-world/Fri, 04 Apr 2008 20:37:15 +1200http://tonyandrewmeyer.com/2008/04/04/massey-university-out-of-touch-with-the-real-world/<p>A policy on passwords like <a href="http://policyguide.massey.ac.nz/massey/about-us/profile/policy-guide/policies/information-technology/electronic-password-policy.cfm">the one that Massey University has</a> is worse than no policy at all.  Of course, when I was there, they f<a href="http://www.massey.ac.nz/~tameyer/writing/insecure.html">orced students to have a four-digit number as their password</a>, despite the fact that doing so violated their own policy, so I guess it&rsquo;s expected that this will be ignored. Particularly bad parts: passwords should</p> <blockquote> <p>Contain both upper and lower case characters [and] at least one digit and one punctuation character.</p>