Security Basics mailing list archives

RE: passwords

From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Wed, 19 Feb 2003 09:28:29 -0500

That's it???   Arguments can be made for changing passwords from between 30
and 90 days.  Each argument has valid points which I will not elaborate on
again since it's been beaten to death.  30 to 90 is fine but you need to
make sure there is complexity involved.  The harder the complexity the more
valid the argument for 90 days so users won't be tempted to write it down.
I wouldn't exceed more than 90 ever but I prefer 30.  A combination of
Capital and lowercase letters, Numbers and Symbols.  Require 3 out of the 4
minimum.  Make a minimum length of 7.  If you are using LANMan make it  7
not 8 since 7 is harder to crack for LANMan other reasons that I also won't
go into.  You should have a password history as well.  I prefer 12 so that
people can slightly change the password to be Passw0rd1, Passw0rd2, ....
Run enforcement onthese policies and run password checkers to verify.  

IMHO, 30 days is best.  I've had 30 days with these rules and users are
fine.  At first people tend to kick and scream but if you reduce the times
in increments of say 15 days every 3 months people don't notice the
difference.

Good Password - N0t*N0w, Abs0lutely%, 
Bad Password - tuxedo, names, birthdates, License plates, names, pets,
anything in a dictionary (incl foreign languages, klingon, etc.), anything
identifiable or guessable about a person, phone #'s, etc.

-----Original Message-----
From: ullmic6 [mailto:ullmic6 () web de] 
Sent: Monday, February 17, 2003 2:02 PM
To: security-basics () securityfocus com
Subject: passwords

Hello all,

one of the favorite subjects in my company seems to be the 
strength of passwords. We force our users to change their 
mail password every 90 days. Does this make sense? Why?

--
ullmic



**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************

Current thread:

passwords ullmic6 (Feb 18)
- RE: passwords Robert Sieber (Feb 19)
  - RE: passwords Jeff Harris (Feb 20)
- Re: passwords simsjs (Feb 19)
- Re: passwords multics (Feb 19)
  - Re: passwords jl (Feb 20)
- Re: passwords Ross Nelson (Feb 19)
- RE: passwords Tim V - DZ (Feb 19)
- <Possible follow-ups>
- Re: passwords eer7y3n0h (Feb 19)
- Re: passwords Chris Berry (Feb 19)
- RE: passwords Robinson, Sonja (Feb 19)
- RE: passwords Vince Dang (Feb 20)
- RE: passwords Chris Berry (Feb 20)
- Re: passwords Chris Berry (Feb 20)
- RE: passwords Shanna Daly (Feb 20)
- RE: passwords Trevor Cushen (Feb 20)
  - Re: passwords Glen Mehn (Feb 20)
  - RE: passwords Tim Heagarty (Feb 20)
- RE: passwords Högman, Lars (Feb 22)