[Cryptography] best practices considered bad term

Bill Frantz frantz at pwpconsult.com
Mon Feb 2 00:43:54 EST 2015 

On 2/1/15 at 8:22 PM, leichter at lrw.com (Jerry Leichter) wrote:

>On Feb 1, 2015, at 10:56 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
>>> So it's certainly a rain dance, but I wouldn't say it's for avoiding security,
>>> it's for avoiding liability, a la "no-one ever got fired for buying IBM".
>>This statement encapsulates the real value of "best practices". If you follow them, you won't get
>fired.
>Is there some truth to this assertion?  Sure.  But consider the 
>same discussion about the National Electrical Code.  It's a 
>bunch of rules - no justifications or arguments, mind you, just 
>rules.  If you follow the rules, you won't have trouble getting 
>your town's electrical inspector to approve your work.  Or ... 
>you can do it your own way and get into infinite arguments.

Well, there are some important differences between best 
practices in security and the NEC. The NEC has the force of law 
for one. When I first started doing electrical work I was 
fortunate to find a version of the code which had been annotated 
with the reasons for the provisions, very useful for my style of learning.

Another difference is following the NEC is not always enough to 
keep you out of trouble with the local building inspector. At 
the time I started, San Francisco's rules forbid the use of 
Romex plastic electrical cable. The effect was that everyone ran 
conduit and then pulled wires. This rule kept the local 
electrical worker's union quite happy. About the time I moved 
out of the city, they had changed the rules under fire from the 
federal housing department which was tired of spending too much 
money building in San Francisco. They changed the rules to allow 
Romex in federally assisted housing, but nowhere else.

And, of course, the best practices NEC will probably result in a 
house that doesn't have enough electrical outlets. This is very 
similar to the question about how long a RSA key to use. Old 
guidance tends to live on beyond its time. We need a lot more 
outlets now than are required by the code.

In security best practices we have the debate on how often to 
change passwords. The original guidance of once a month was 
based on the thought that a brute force attack on the password 
file would take about two months. I think the current guidance 
is every 3 months. HP recently changed from once a year to once 
every 3 months to follow this best practice. They also reduced 
the minimum password length from 12 to 8 characters so the more 
transient passwords would be easier to remember. Is that a 
change for better security? YMMV.

Indeed, anyone trying to set up a security policy should look at 
best practices and try to understand why each item is being 
recommended. This examination will require a knowledgable 
individual since the examination will have to determine if the 
practice matches current reality, and if there are any other 
important factors that are not covered by the best practice.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | "The only thing we have to   | Periwinkle
(408)356-8506      | fear is fear itself." - FDR  | 16345 
Englewood Ave
www.pwpconsult.com | Inaugural address, 3/4/1933  | Los Gatos, 
CA 95032

More information about the cryptography mailing list