[Cryptography] best practices considered bad term
ianG
iang at iang.org
Mon Feb 2 15:33:29 EST 2015
On 2/02/2015 06:43 am, Bill Frantz wrote:
> Well, there are some important differences between best practices in
> security and the NEC. The NEC has the force of law for one.
(which follows the strength of the code, doesn't explain why the code is
inherently strong and sensible.)
> When I first
> started doing electrical work I was fortunate to find a version of the
> code which had been annotated with the reasons for the provisions, very
> useful for my style of learning.
>
> Another difference is following the NEC is not always enough to keep you
> out of trouble with the local building inspector. At the time I started,
> San Francisco's rules forbid the use of Romex plastic electrical cable.
> The effect was that everyone ran conduit and then pulled wires. This
> rule kept the local electrical worker's union quite happy. About the
> time I moved out of the city, they had changed the rules under fire from
> the federal housing department which was tired of spending too much
> money building in San Francisco. They changed the rules to allow Romex
> in federally assisted housing, but nowhere else.
Of course, codes and 'best practices' alike, and all similar things, are
basically battlegrounds for competing economic interests. I always
chuckle when I recall the Europeans referring to the group that creates
the German Electrical Code as the Committee for Siemens.
> And, of course, the best practices NEC will probably result in a house
> that doesn't have enough electrical outlets. This is very similar to the
> question about how long a RSA key to use. Old guidance tends to live on
> beyond its time. We need a lot more outlets now than are required by the
> code.
Right. Cost of 'code' outlets way exceeds the cost of powerboard
outlets .. and we have a stability in the market for outlets :)
> In security best practices we have the debate on how often to change
> passwords. The original guidance of once a month was based on the
> thought that a brute force attack on the password file would take about
> two months. I think the current guidance is every 3 months. HP recently
> changed from once a year to once every 3 months to follow this best
> practice. They also reduced the minimum password length from 12 to 8
> characters so the more transient passwords would be easier to remember.
> Is that a change for better security? YMMV.
So can we come up with a 'best practices' for passwords? If these
things work as a concept or an idea, surely we should be able to write
one set of guidelines -- short and sweet so people can grok them -- that
solves the issue for most people most of the time. Right?
Here's my contribution:
1. Write passwords down.
Man or mouse? Anyone here says they don't know how to do passwords?
> Indeed, anyone trying to set up a security policy should look at best
> practices and try to understand why each item is being recommended. This
> examination will require a knowledgable individual since the examination
> will have to determine if the practice matches current reality, and if
> there are any other important factors that are not covered by the best
> practice.
(In a separate document, sure. Or in a few words attached, so it
doesn't weigh the document down past readability. Right, I see your point.)
iang
More information about the cryptography
mailing list