Re: Minimum password requirements

[Dan <dan () radioactivechicken org>]

Randall M Gunning wrote:

> I am working on implementing some minimum standards for our department. I am
> wondering what the list thinks of these standards:
>
> a. Passwords must be changed at least every 90 days.
> b. Passwords cannot be changed for at least 14 days.
> c. Previous passwords cannot be reused (at least the last 10).
> d. User ids and passwords are "owned" by an individual and must not be
> shared with others.
> e. User accounts that have not been accessed (i.e. logged in to) for 30 days
> will be deactivated.
> f. Inactive user accounts will be deleted after 14 days.
>
> The numbers I have used are what I used in the corporate world for systems
> that had no special security requirements (i.e. they did not have any
> confidential data on them). What are other people doing for this type of
> standard, if anything? Also, if you had your choice (not subject to a
> committee agreeing), what would you choose for these items? 
>
> Please let me know if you have any questions.
>
> Thanks,
>
> Randy
I'm not sure I understand the rationale behind the routine password 
resets. We have to assume, I think, that vulnerabilities exploited will 
not involve grabbing the shadow password and spending a few years 
cracking it; if a password can be cracked in 91 days, it can be cracked 
in 90. In other words, your concern is not that sort of brute-forcing; 
it's a more immediate exploit, such as a password left on a post-it, or 
a simply weak password that can be broken with a dictionary attack in a 
few hours. In those cases, your changing policy does absolutely no good 
(unless you use one-time passwords a la s/key), and makes life so 
difficult for users that they may in fact be more inclined to use weak 
passwords, to write them on post-its, etc.

So I would strike rule a and c; rule b is probably not terrible useful, 
or at least I don't see your point; if an attacker knows your password, 
isn't he likely to simply leave it the way it is an install a rootkit or 
other backdoor?


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------