[Cryptography] Possible reason why password usage rules are such a mess

Jerry Leichter leichter at lrw.com
Mon Nov 23 11:00:46 EST 2020


>>> There are *so* many ways to build an insecure system, and there is *so* little regulation about the building of these systems. First, can we regulate our way out of this insecure mess? If we can, is this really where to start?
>> One has to begin somewhere. And poor storage of password validation data is a major vulnerability. For starters, I am suggesting transparency and self-certification, not regulation.
> Might be a start.
> 
> Though self-certification of what? Sounds like ISO standards or something. (I hope there isn't a "best practices" requirement of changing passwords every 30-days in there.)
> 
> Things are a mess, even some bad standards might be useful. Maybe for things such as just prompting people to survey to know what their systems consist of.
A suggestion I've been making for years combines a small regulation with self interest:  Any system maintained by any corporation that stores user passwords - hashed or whatever you like - must also store, under pre-defined usernames, authentication information for the bank accounts, investment accounts, and other important financial and personal data, of the company president and everyone in the executive chain to whoever chooses, manages, or determines the funding for that system.

You'd be amazed at what could be accomplished if the security of those systems *actually mattered* to those in charge.
                                                        -- Jerry



More information about the cryptography mailing list