Security Basics mailing list archives
RE: Minimum password requirements
From: "Dave Dyer" <ddyer () ciber com>
Date: Fri, 23 Jul 2004 15:11:29 -0600
In my opinion, it's a carryover from the days when password complexity wasn't a well known security mechanism (read: NT 3.5, DOS 6.22 and possibly before). It was easy to enforce password expiration times, while password complexity was much more difficult to enforce. Plus, we've all heard of that scenario (or movie, or whatever) where a super-secure facility changes the door codes or password to the supercomputer once a week, and that makes it harder for someone who knows the password to spread it to a malicious individual in time for that individual to use it (perhaps via the "telephone" method, or perhaps directly). Regardless, these are very good points. For anything other than admin access, I find myself agreeing with dmargoli, and asking "WHY...oh why, do we put these poor end users through changing their passwords every 30-90 days?" Add to that the confusion and frustration of no SSO solution and you've got an end user changing at least ONE of their passwords every 20 days or so. It's tough on them, and we all know it. I suppose if password complexity is enforced strongly, it makes it much more difficult to brute force or guess the password. However, given enough time to try the CFO's password (hrm... his dog's name is rover, and it's 2004... how about r0v3r04), I guess I can see the argument for requiring the change. Bottom line is this: We're in the business of security. Every step that we can possibly take to mitigate a risk with minimal impact on daily operations, we should take. The key is to find that golden point between impact/benefit. (psst... the golden point is 90 days) :) -----Original Message----- From: dmargoli () stwing org [mailto:dmargoli () stwing org] Sent: Thursday, July 22, 2004 12:40 PM To: security-basics () securityfocus com Subject: Re: Minimum password requirements Steve wrote:
We can discuss/argue all day long, but if you don't age passwords then you will fail almost any IT portion of an audit from an independent auditing organization.
Fair enough, but that doesn't really explain *why* it makes sense (or even if it does). If your business requires certification by an auditor who requires that measure, fine. Perfectly understandable. But that doesn't mean there's a good reason for such a practice (and I contend that there is not).
Real world example, a few departed employees had not been disabled in our domain, their accounts were automatically disabled. The auditors had no issues with that.
I never argued against disabling inactive accounts. I think that's a very good idea and support it completely. I argued against password ageing. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Minimum password requirements, (continued)
- Re: Minimum password requirements Ed Spencer (Jul 19)
- RE: Minimum password requirements BĂ©noni MARTIN (Jul 19)
- RE: Minimum password requirements Hamish Stanaway (Jul 19)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements dmargoli (Jul 22)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- RE: Minimum password requirements Dave Dyer (Jul 26)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
- RE: Minimum password requirements Ed Spencer (Jul 26)
- Re: Minimum password requirements dmargoli (Jul 22)
- RE: Minimum password requirements Andrew Aris (Jul 23)
- RE: Minimum password requirements Jeremy Novak (Jul 26)
- Re: Minimum password requirements Jonathan Loh (Jul 26)
- Re: Minimum password requirements Gethin Jones (Jul 26)