Firewall Wizards mailing list archives
RE: password aging
From: "KirkAdams" <Kirk-Adams () email msn com>
Date: Sun, 30 Aug 1998 00:19:02 -0400
Well.. my old days might help on this one. Here's my $0.02 and I TOTALLY agree with the gentlemen on the CC line, OLD RULES, 1) Maintain a password listing of six prior passwords. Do not allow personnel to use the same password for more than 30 days or any password on the list. *This implies that a password must be at least 7 months old to be recycled.* 2) Ensure passwords do not consist of birthdays or names or initials or combinations thereof. 3) Passwords may not be written down. 4) etc.. etc.. Right... good luck!! That said.. here's my advice.. First, Carefully evaluate your information security need. What needs protected? Who needs access? How much are you willing to spend in time and money to protect it? Second, NO ONE picks a hard to remember password. This automatically reduces or elimates their value. Therefore assign passwords. Third, a password works best (against casual hacking) if it is cryptic.. ie. case sensitive upper/lower and letter/number combinations of at least 10 characters. However.. these are too long for most people to remember and so get written down. If it's written down you've broken a major security rule and it's likely other people will (at some point) read the password. Therefore, you must keep them at about 6 chars (do not include symbols) and INSIST that a written password is grounds for serious consequences, even termination. Fourth, if you change passwords every 30 days they'll be written down again. BUT, a password in use for more than 30 days gives anyone trying to hack their way into a system more time to work with the same password.. so you must compromise. If you assign a new password every 75 days this gives you about 5 passwords a year and still keeps the troops from getting sloppy. Fifth, You must implement a password attempt tracking system. Keep log files and lock out accounts after 3 wrong password attempts. Monitor for unusual activity. The above requires ALOT of work to maintain so make sure you evaluate the need for tight security before implementing a system that consumes lots of time. If you do implement.. make sure you support it with sufficient staff. Without maintenance the system will quickly break down again. For increased security you can just increase the # of chars in password or decrease the # of days the password is valid. The maximum security this provides is relative to the fact that it is "password" based. For greater security implement software encryption. For still GREATER security implement hardware encryption. Good luck, Kirk Adams
-----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]On Behalf Of Adam Shostack Sent: Tuesday, August 18, 1998 5:57 PM To: firewall-wizards () nfr net Subject: password aging Various people assert that its a good idea to maintain a history of user passwords so that they can't change their password to a previous password. However, I'm having trouble finding a reference to this in the literature that examines the issue of how many passwords to save and why. The lime green book (password management) says not to let the user use their previous password, but doesn't go into storing a history. Does anyone know of a paper on, or that discusses, this topic, and how or why to pick various values of N? Adam
-----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]On Behalf Of Paul McNabb Sent: Friday, August 28, 1998 12:13 PM To: steve () aztech net Cc: firewall-wizards () nfr net Subject: Re: password aging But this doesn't work either. You have to assume that your users have an idea of what a "well formed password" is. If they don't, I suspect you'll have a lot of unhappy users who struggle with finding an acceptable password. Certainly an attacker will know or can find out what is well formed. If a password is rejected it will be fairly easy to determine why. *SNIP* paul
From steve () aztech net Fri Aug 28 09:49:49 1998 System-wide password histories shouldn't be used unless you are also doing dictionary/pattern checks. Given those constraints, and the soundex + hashing that I mentioned in my previous message, it will be difficult for an end-user to determine exactly why their new password choice was rejected by the system. Your example of "sleepy7" could have been rejected at any stage of the "sanity checks". The specific reason for rejecting the new password should not be reported to the user, they only need to be told that the new password is probably weak.
*SNIP*
> > The moral? NEVER, NEVER, NEVER USE SYSTEM WIDE PASSWORD HISTORIES!!
--------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- Re: password aging, (continued)
- Re: password aging H. Morrow Long (Aug 23)
- Re: password aging Adam Shostack (Aug 24)
- Re: password aging Paul M. Cardon (Aug 26)
- Re: password aging Stephen P. Gibbons (Aug 27)
- Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 28)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 30)
- RE: password aging KirkAdams (Aug 30)
- Re: password aging H. Morrow Long (Aug 23)