Security Basics mailing list archives
Re: Minimum password requirements
From: Ed Spencer <espencer () usa net>
Date: Sun, 18 Jul 2004 00:38:14 -0800
I'd make a few changes.... but this is based on my experiences with a variety of organizations... my notes are below with explanations.
I am working on implementing some minimum standards for our department. I
am
wondering what the list thinks of these standards: a. Passwords must be changed at least every 90 days.
Priviledged accounts should be changed every 30 days (some say 45 or 60). This would be all admin accounts, etc.
b. Passwords cannot be changed for at least 14 days.
I understand the reasoning for this, but I prefer a 1 day rule. If for some reason they want to change the password every day I'd let them. But I would also keep a longer history... see below.
c. Previous passwords cannot be reused (at least the last 10).
I always remember at least the last 13. This keeps them from using months as the key portion of the password. By setting this longer and allowing changes every day you can make them have to go through 2 weeks of passwords to get back to a 'default' if that's what they're trying to do.
d. User ids and passwords are "owned" by an individual and must not be shared with others.
I'd go one step further and point out that they are responsible for all activities under thier account. If they give out their password and someone uses it to surf porn and send nasty emails to the CEO it's on them. Strong user policy documentation here is a NECESSITY - and make them read it AND sign it.
e. User accounts that have not been accessed (i.e. logged in to) for 30
days
will be deactivated.
I usually put in a note that people going on extended vacation, etc can have their accounts suspended (made inactive) for longer periods of time if necessary. No reason to delete the account of someone that's out for open heart surgery, pregnancy, or other family leave act items if they'll be returning. Just make arrangements to suspend the account for up to 90 days or a time period deemed appropriate (family leave could be up to 180 days IIRC). This would have to be audited but even in a large company we're talking less than 2 dozen accounts to be reviewed (make sure they're not reactivated until the person returns). I'd also make a note regarding non-personnel accounts not falling under this rule.
f. Inactive user accounts will be deleted after 14 days.
How are you differentiating between the above item and this one? Not logged in is inactive. I'd go one step further and make arrangements for any account of terminated personnel to be suspended immeadiately, the password changed, and then give the manager 14 days to review the contents of the account (email, files, etc) for those items they wish to keep before they are deleted.
The numbers I have used are what I used in the corporate world for systems that had no special security requirements (i.e. they did not have any confidential data on them). What are other people doing for this type of standard, if anything? Also, if you had your choice (not subject to a committee agreeing), what would you choose for these items?
What I put above is typical of what I push for and am usually able to obtain in most organizations I've worked with in the past. Explaining the reasons for each item when putting together documentation should keep them from being circumvented. The hardest part for me has been keeping the 'admins' from breaking the rules. It's been more than one admin that I've seen get the password message and just use User Manager (or the equivilent) to reset it to their 'standard' password or turn on 'password never expires' just for them. To prevent this sort of thing you've have to use L0phtcrack/John the Ripper/etc to audit the passwords on admin accounts (which is a mixed blessing) or use a 3rd party password synch tool to enforce the rules (that they don't administer - this would be for seperation of power - aka checks and balances). Well, that's my .02 worth... Ed Spencer MCSE/MCT/CNA/A+/Network+/Security+ Network Administrator Denali Park Resorts "It's not paranoia when they really are out to get you." --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Minimum password requirements, (continued)
- RE: Minimum password requirements dave kleiman (Jul 20)
- Re: Minimum password requirements steve (Jul 20)
- Re: Minimum password requirements Dan (Jul 20)
- Re: Minimum password requirements Robert Inder (Jul 20)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 21)
- RE: Minimum password requirements Dave Dyer (Jul 21)
- RE: Minimum password requirements John Vill (Jul 19)
- RE: Minimum password requirements Robinson, Sonja (Jul 19)
- RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements Roger A. Grimes (Jul 19)
- Re: Minimum password requirements Ed Spencer (Jul 19)
- RE: Minimum password requirements BĂ©noni MARTIN (Jul 19)
- RE: Minimum password requirements Hamish Stanaway (Jul 19)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements dmargoli (Jul 22)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- RE: Minimum password requirements Dave Dyer (Jul 26)
- Re: Minimum password requirements dmargoli (Jul 22)