Security Basics mailing list archives
Re: Seeking benchmark data on passwords
From: "Steve" <securityfocus () delahunty com>
Date: Wed, 18 Feb 2004 13:58:31 -0500
NIST has guidance on this. NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems · Specify Required Attributes. Secure password attributes such as a minimum length of six, inclusion of special characters, not being in an online dictionary, and being unrelated to the user ID should be specified and required. · Change Frequently. Passwords should be changed periodically. · Train Users. Teach users not to use easy-to-guess passwords, not to divulge their passwords, and not to store passwords where others can find them. FIPS (govt pub) has this guidance. According to Federal Information Processing Standards Publication 112, Password Usage Password System for Medium Protection Requirements: 1. Length Range: 4-8 2. Composition: U.C. Letters (A-Z), L.C. Letters (a-z), and digits (0-9) 3. Lifetime: 6 months 4. Source: System generated and user selected 5. Ownership: Individual 6. Distribution: Terminal and special mailer 7. Storage: Encrypted passwords 8. Entry: Non-printing keyboard and masked-printing keyboard 9. Transmission: Cleartext 10. Authentication Period: Login and after 10 minutes of terminal inactivity. We have used this policy below. We also encrypt the password database (SAM). PASSWORD GUIDANCE Do not write down your password. Do not share your password with other users. Do not let other people know your password, even the IT staff. NETWORK PASSWORD REQUIREMENTS Passwords are automatically set to expire every 60 days, the system will remind you that you need to change your password. Passwords must be at least 8 characters long. Passwords may not contain your user name or any part of your full name. Passwords must include a combination of letters, numbers, and punctuation characters. Passwords must contain characters from at least three of the following four classes: description examples Upper Case Letters A, B, C, ... Z Lower Case Letters a, b, c, ... z Numerals 0, 1, 2, ... 9 Non-alphanumeric special characters such as punctuation and symbols above the numbers on the keyboard. When changing your password the new password must be unique, not one used previously on our system, using a variation of a previous password is an allowable technique. ----- Original Message ----- From: "Chris Davis" <chrisdavis () ti com> To: <security-basics () securityfocus com> Sent: Tuesday, February 17, 2004 1:02 PM Subject: Seeking benchmark data on passwords Hello List, We are gathering benchmark data on passwords because we want to revisit our password policies. Would you mind helping? We need this by Thursday. For security reasons, please do not email your company name if you are concerned about that. For the purposes of our internal work, your name will be replaced by a generic "Services Company" or "Product Company" and a general estimation of size (Fortune 100, 500, small kid on the block, etc..) We're going to send the results out at the end of the week if you would like a copy, (without the company names on them)... ;) <<<<<< Short Survey >>>>>>> Please send benchmark data points to answer the following questions regarding password rules: a) Length? b) Complexity (alpha, numeric, special, capital, ..)? c) How often is it changed? d) Machine generated? e) Can they reuse old ones? f) Anything else (smart card, token generator, RSA SecureID)? Thanks! Chris Chris Davis IT Security Team Texas Instruments O: 214-567-8929 --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_security-basics_040219 ----------------------------------------------------------------------------
Current thread:
- Seeking benchmark data on passwords Chris Davis (Feb 18)
- Re: Seeking benchmark data on passwords Steve (Feb 19)
- Re: Seeking benchmark data on passwords aruna (Feb 24)
- Re: Seeking benchmark data on passwords Steve (Feb 19)