 |
| XKCD 936 - Password Strength |
One of the interesting parts of information security is that there are two extremes in regards to the spectrum. On one end you have Strong Security, the whole goal of securing data is making it as secure as possible: Crytography, Passwords, 2-Factor Authentication, Configuration, etc. At the complete other side of the spectrum is Strong Usability, we need to do our jobs after all and the more usable it is, the faster we can do it.
These two ends of the spectrum are directly disproportional to one another. It is very easy to have too much security, making the usability mind-numbing: carrying around hard-tokens with pin codes, 16 character passwords with 30 day expirations, 10 minute timeouts, and network policies where everything needs approval. But if you relax all of the policies to make them more usable, suddenly you are vulnerable to all of the threats involved with information security: hash rainbow tables, brute force attacks, denial of service (DOS) attacks, social engineering, etc.
