[Cryptography] best practices considered bad term

ianG iang at iang.org
Mon Feb 2 15:33:29 EST 2015 

On 2/02/2015 06:43 am, Bill Frantz wrote:

> Well, there are some important differences between best practices in
> security and the NEC. The NEC has the force of law for one.

(which follows the strength of the code, doesn't explain why the code is 
inherently strong and sensible.)

> When I first
> started doing electrical work I was fortunate to find a version of the
> code which had been annotated with the reasons for the provisions, very
> useful for my style of learning.
>
> Another difference is following the NEC is not always enough to keep you
> out of trouble with the local building inspector. At the time I started,
> San Francisco's rules forbid the use of Romex plastic electrical cable.
> The effect was that everyone ran conduit and then pulled wires. This
> rule kept the local electrical worker's union quite happy. About the
> time I moved out of the city, they had changed the rules under fire from
> the federal housing department which was tired of spending too much
> money building in San Francisco. They changed the rules to allow Romex
> in federally assisted housing, but nowhere else.

Of course, codes and 'best practices' alike, and all similar things, are 
basically battlegrounds for competing economic interests.  I always 
chuckle when I recall the Europeans referring to the group that creates 
the German Electrical Code as the Committee for Siemens.

> And, of course, the best practices NEC will probably result in a house
> that doesn't have enough electrical outlets. This is very similar to the
> question about how long a RSA key to use. Old guidance tends to live on
> beyond its time. We need a lot more outlets now than are required by the
> code.

Right.  Cost of 'code' outlets way exceeds the cost of powerboard 
outlets .. and we have a stability in the market for outlets :)

> In security best practices we have the debate on how often to change
> passwords. The original guidance of once a month was based on the
> thought that a brute force attack on the password file would take about
> two months. I think the current guidance is every 3 months. HP recently
> changed from once a year to once every 3 months to follow this best
> practice. They also reduced the minimum password length from 12 to 8
> characters so the more transient passwords would be easier to remember.
> Is that a change for better security? YMMV.


So can we come up with a 'best practices' for passwords?  If these 
things work as a concept or an idea, surely we should be able to write 
one set of guidelines -- short and sweet so people can grok them -- that 
solves the issue for most people most of the time.  Right?

Here's my contribution:


      1. Write passwords down.


Man or mouse?  Anyone here says they don't know how to do passwords?


> Indeed, anyone trying to set up a security policy should look at best
> practices and try to understand why each item is being recommended. This
> examination will require a knowledgable individual since the examination
> will have to determine if the practice matches current reality, and if
> there are any other important factors that are not covered by the best
> practice.


(In a separate document, sure.  Or in a few words attached, so it 
doesn't weigh the document down past readability.  Right, I see your point.)



iang

More information about the cryptography mailing list