[Cryptography] best practices considered bad term
Bill Frantz
frantz at pwpconsult.com
Mon Feb 2 00:43:54 EST 2015
On 2/1/15 at 8:22 PM, leichter at lrw.com (Jerry Leichter) wrote:
>On Feb 1, 2015, at 10:56 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
>>> So it's certainly a rain dance, but I wouldn't say it's for avoiding security,
>>> it's for avoiding liability, a la "no-one ever got fired for buying IBM".
>>This statement encapsulates the real value of "best practices". If you follow them, you won't get
>fired.
>Is there some truth to this assertion? Sure. But consider the
>same discussion about the National Electrical Code. It's a
>bunch of rules - no justifications or arguments, mind you, just
>rules. If you follow the rules, you won't have trouble getting
>your town's electrical inspector to approve your work. Or ...
>you can do it your own way and get into infinite arguments.
Well, there are some important differences between best
practices in security and the NEC. The NEC has the force of law
for one. When I first started doing electrical work I was
fortunate to find a version of the code which had been annotated
with the reasons for the provisions, very useful for my style of learning.
Another difference is following the NEC is not always enough to
keep you out of trouble with the local building inspector. At
the time I started, San Francisco's rules forbid the use of
Romex plastic electrical cable. The effect was that everyone ran
conduit and then pulled wires. This rule kept the local
electrical worker's union quite happy. About the time I moved
out of the city, they had changed the rules under fire from the
federal housing department which was tired of spending too much
money building in San Francisco. They changed the rules to allow
Romex in federally assisted housing, but nowhere else.
And, of course, the best practices NEC will probably result in a
house that doesn't have enough electrical outlets. This is very
similar to the question about how long a RSA key to use. Old
guidance tends to live on beyond its time. We need a lot more
outlets now than are required by the code.
In security best practices we have the debate on how often to
change passwords. The original guidance of once a month was
based on the thought that a brute force attack on the password
file would take about two months. I think the current guidance
is every 3 months. HP recently changed from once a year to once
every 3 months to follow this best practice. They also reduced
the minimum password length from 12 to 8 characters so the more
transient passwords would be easier to remember. Is that a
change for better security? YMMV.
Indeed, anyone trying to set up a security policy should look at
best practices and try to understand why each item is being
recommended. This examination will require a knowledgable
individual since the examination will have to determine if the
practice matches current reality, and if there are any other
important factors that are not covered by the best practice.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | "The only thing we have to | Periwinkle
(408)356-8506 | fear is fear itself." - FDR | 16345
Englewood Ave
www.pwpconsult.com | Inaugural address, 3/4/1933 | Los Gatos,
CA 95032
More information about the cryptography
mailing list