Security Basics mailing list archives
Re: Minimum password requirements
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 20 Jul 2004 21:13:40 +0200
On 2004-07-20 Robert Inder wrote:
Obviously, if a password is thought to be compromised, it must be changed immediately. But in the case where is NO reason to suspect compromise...a. Passwords must be changed at least every 90 days.Why is changing a still-secred password a good thing?
Because you're always at risk of passwords being brute-forced, plus you can't be sure whether a password has been cracked/leaked until it's used by an attacker (IOW until it's too late). Changing passwords on a regular basis will limit the time a password is of use to an attacker.
b. Passwords cannot be changed for at least 14 days.Why is this a good thing? Is it somethign to do with letting users "flush" the "queue" of previous passwords?
Exactly. Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Minimum password requirements, (continued)
- Re: Minimum password requirements Pete Hunt (Jul 19)
- Re: Minimum password requirements _ (Jul 19)
- RE: Minimum password requirements David Gillett (Jul 19)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 20)
- RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements David Gillett (Jul 20)
- RE: Minimum password requirements dave kleiman (Jul 20)
- Re: Minimum password requirements steve (Jul 20)
- Re: Minimum password requirements Dan (Jul 20)
- Re: Minimum password requirements Robert Inder (Jul 20)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 21)
- RE: Minimum password requirements Dave Dyer (Jul 21)
- RE: Minimum password requirements John Vill (Jul 19)
- RE: Minimum password requirements Robinson, Sonja (Jul 19)
- RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements Roger A. Grimes (Jul 19)
- Re: Minimum password requirements Ed Spencer (Jul 19)
- RE: Minimum password requirements BĂ©noni MARTIN (Jul 19)
- RE: Minimum password requirements Hamish Stanaway (Jul 19)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)