On Tue, Dec 17, 2024 at 12:29 PM <to...@tuxteam.de> wrote: > > On Tue, Dec 17, 2024 at 10:59:40AM -0500, Michael Stone wrote: > > On Tue, Dec 17, 2024 at 06:45:05AM +0100, to...@tuxteam.de wrote: > > > Do you have a reference? > > > > > > I ask because I'm in the middle of a discussion (and that was my advice, > > > too). Seeing what Schneier has to say on that would be very interesting. > > > > All of this advice is overly simplistic. The right answer depends on > > understanding your threats and making a conscious decision what risks you > > want to mitigate [...] > > I know, I know. My introductory sentence is almost literally yours. > > As times shift, threat models shift accordingly. Back then, when > computers and environments were more shared, post-its and shoulder > surfing were the main password leak threat, in-between it was the > (clear text) transport, these days it's probably phishing and > server-side breaches, which -- hopefully! -- yield a database of > salted hashes, in which case strong passwords are vital. > > I'm still very interested in those references, not to follow them > blindly, but because they may contain insights I haven't had myself. > Especially in the case of Schneier, I'm doubly eager to listen.
Schneier is security on training wheels. (Not to impune his work). It is a good introduction, but it is written for a different audience. If you really want to satisfy your security related hunger, then read Gutmann's Engineering Security[1] or Ross Anderson's Security Engineering.[2] I prefer Gutmann because it is so well cited. I often pull the cited papers and read them for myself. [1] <https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf> [2] <https://www.cl.cam.ac.uk/archive/rja14/book.html> Jeff
