RE: Minimum password requirements

["Maurice Post" <info () snakemind com>]

Hey Randy,

Personally, I don not agree with standard b and f...
What about individuals that become sick? I have seen people in my department
with a nervous breakdown which were out for about 3 to 5 months... 
When they get back, they don't want their account to be deleted.
So, better to freeze the accounts for 6 months. And they have to fill in a
request to re-enable it again. (With a legitimate reason for the absence...)
About the B option: What happens when a user types his password with a wrong
character and wants to reset it to the password he desires? Can be arranged
by the sysop, but do you want all that requests? What you can do, is when a
password is changed, you can change it within the first 36 hours. After
that, changing will be disabled for 14 days. In this case you will not have
all those "OOPS!" requests, and still the safety of it...

Furthermore, These standards are pretty good I guess, and indeed: option C
should be 10 times in a cycle.

Regards,
Maurice


-----Original Message-----
From: Randall M Gunning [mailto:securityfocus () randygunning com] 
Sent: donderdag 15 juli 2004 17:27
To: security-basics () securityfocus com
Subject: Minimum password requirements

I am working on implementing some minimum standards for our department. I am
wondering what the list thinks of these standards:

a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and must not be
shared with others.
e. User accounts that have not been accessed (i.e. logged in to) for 30 days
will be deactivated.
f. Inactive user accounts will be deleted after 14 days.

The numbers I have used are what I used in the corporate world for systems
that had no special security requirements (i.e. they did not have any
confidential data on them). What are other people doing for this type of
standard, if anything? Also, if you had your choice (not subject to a
committee agreeing), what would you choose for these items? 

Please let me know if you have any questions.

Thanks,

Randy




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------