Security Basics mailing list archives
Re: Minimum password requirements
From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Wed, 21 Jul 2004 03:20:32 +0000
Hi there Robert,I believe the reason for changing the password even though it has still not been hacked is a preventitive measure. For example, if I was a cracker hacking your network, and your password was "dddd", and once a month I went in sequence e.g. aaaa first month, "bbbb" second month and so on, within four months I would have cracked your account. This is called the "brute force method", and this rule reduces the chances of someone brute forcing an account. Sure, you can make a big long complex password, but it will never be safe from someone that is really dedicated to brute forcing your account, unless you have a policy set to change it x number of days, or monitor failed logins very closely (believe me, on big corporate networks this is a fuill-time job).
Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.com/
From: Robert Inder <robert () interactive co uk> To: "Randall M Gunning" <securityfocus () randygunning com> CC: <security-basics () securityfocus com> Subject: Re: Minimum password requirements Date: 20 Jul 2004 12:36:33 +0100 MIME-Version: 1.0Received: from outgoing2.securityfocus.com ([205.206.231.26]) by mc1-f13.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 20 Jul 2004 14:31:52 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 4DCA71437C2; Tue, 20 Jul 2004 11:12:34 -0600 (MDT)Received: (qmail 10641 invoked from network); 20 Jul 2004 11:37:01 -0000 X-Message-Info: JGTYoYF78jHd+2Ya/Lp2oheL9ar1nuTm Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus comX-Authentication-Warning: auk.3lg.org: robert set sender to robert () interactive co uk using -fPhone: 07808 492 213 Organisation: Interactive Information Limited, Edinburgh References: <20040715170953.17067.qmail () mail2 securityfocus com> In-Reply-To: <20040715170953.17067.qmail () mail2 securityfocus com> Message-ID: <f51wu0yuczi.fsf () 3lg org> Lines: 94 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3Return-Path: security-basics-return-29332-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 20 Jul 2004 21:31:54.0917 (UTC) FILETIME=[FA776D50:01C46EA0]OK, since this is a security BASICS list, I'm going to risk showing ignorance and ask some basic quesions:-) >>>>> Randall M Gunning writes: > To: <security-basics () securityfocus com> > Subject: Minimum password requirements > Date: Thu, 15 Jul 2004 08:26:57 -0700 > I am working on implementing some minimum standards for our > department. I am wondering what the list thinks of these > standards: Obviously, if a password is thought to be compromised, it must be changed immediately. But in the case where is NO reason to suspect compromise... > a. Passwords must be changed at least every 90 days. Why is changing a still-secred password a good thing? I deal with a number of systems which do this, and even where I keep a note of the actual password, it is still a MAJOR pain. The first time I log in after the enforced password change, I forget it has happened, have several attempts to use the previous one, and the account locks before I realise. On one system I have a 100% record of having to phone up and get the account re-enabled (using the password on the letter they sent me when the account was opened!) So why do they do this? What is the threat that is large enough to justify forcing me to regularly come up with new passwords that must complex/unmemorable enough to need to be written down? > b. Passwords cannot be changed for at least 14 days. Why is this a good thing? Is it somethign to do with letting users "flush" the "queue" of previous passwords? > c. Previous passwords cannot be reused (at least the last 10). Obviously, there is no point in making me change it if I can then just change it back again....> d. User ids and passwords are "owned" by an individual and must not be> shared with others. > e. User accounts that have not been accessed (i.e. logged in to) > for 30 days will be deactivated. Well, this obviously reduces the number of "targets" (accounts) that a would-be cracker has to shoot at, and protects this system against someone who has obtained the user's password for another system. Is it more than this? I can't be alone in having a several accounts that I rarely use --- either because I need them for infrequent tasks, or because I'm the "reserve" for doing something. Either way, the accounts are seldom used, but de-activating them would have a big impact. Is the benefit of so promptly "zapping" dormant accounts enough to outweigh problems of this type? > f. Inactive user accounts will be deleted after 14 days. Is this more than just general "hygene" and/or tidiness --- smaller/simpler/fewer is better? Or is there a specific risk? > The numbers I have used are what I used in the corporate world > for systems that had no special security requirements (i.e. they > did not have any confidential data on them). What are other > people doing for this type of standard, if anything? Also, if > you had your choice (not subject to a committee agreeing), what > would you choose for these items? Well, you did say... > Please let me know if you have any questions. > Thanks, > Randy Robert. --Robert Inder Interactive Information, 07770 30 40 52 (general) 07808 492 213 3, Lauriston Gardens, 0131 229 1052 (fax)Edinburgh EH3 9HHSCOTLAND UK Interactions speak louder than words--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
_________________________________________________________________MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- RE: Minimum password requirements, (continued)
- RE: Minimum password requirements John Vill (Jul 19)
- RE: Minimum password requirements Robinson, Sonja (Jul 19)
- RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements Roger A. Grimes (Jul 19)
- Re: Minimum password requirements Ed Spencer (Jul 19)
- RE: Minimum password requirements Bénoni MARTIN (Jul 19)
- RE: Minimum password requirements Hamish Stanaway (Jul 19)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements dmargoli (Jul 22)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- RE: Minimum password requirements Dave Dyer (Jul 26)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
- RE: Minimum password requirements Ed Spencer (Jul 26)
- Re: Minimum password requirements dmargoli (Jul 22)
- RE: Minimum password requirements Andrew Aris (Jul 23)
- RE: Minimum password requirements Jeremy Novak (Jul 26)
- Re: Minimum password requirements Jonathan Loh (Jul 26)