Firewall Wizards mailing list archives

Re: Stanford break in

From: m () pavis biodec com
Date: Wed, 28 Apr 2004 12:51:49 +0200

* Bennett Todd (bet () rahul net) [040425 01:25]:


Other than that, frequent mandatory password changes are detrimental
to security. Better to have the password-changing tool use cracklib,
and offer good random passwords to users who are willing to use
them, and let them keep using them long enough to amortize the
higher cost of learning them.


Somewhere, sometimes, you have to. In Italy there is a law (T.U. 196/03) 
that mandates that in certain situations, which, by the way, are not so
rare, you have to periodically change passwords on systems.

The period could be as low as three to six months:

``5. La parola chiave, quando è prevista dal sistema di autenticazione,
è composta da almeno otto caratteri oppure, nel caso in cui lo strumento
elettronico non lo permetta, da un numero di caratteri pari al massimo
consentito; essa non contiene riferimenti agevolmente riconducibili
all'incaricato ed è modificata da quest'ultimo al primo utilizzo e,
successivamente, almeno ogni sei mesi. In caso di trattamento di dati
sensibili e di dati giudiziari la parola chiave è modificata almeno ogni
tre mesi.'' from ``Allegato B - Disciplinare tecnico in materia di
misure minime di sicurezza'' of the above mentioned law. In summary it
says that password must be at least eight character long, or the maximum
allowed by the system, must not not be easy to guess and must be changed
every six months, or every three months if the data belong to a special
category.

In these cases trying to build an effective password policy is
necessary, since is mandated by law.

-- 
 .*.                            finelli
 /V\
(/ \) --------------------------------------------------------------
(   )       Linux: Friends dont let friends use Piccolosoffice
^^-^^ --------------------------------------------------------------

There is nothing wrong with writing ... as long as it is done in private
and you wash your hands afterward.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Stanford break in, (continued)
- RE: Stanford break in Ames, Neil (Apr 22)
  - RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
  - RE: Stanford break in Paul D. Robertson (Apr 23)
    - RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Stewart, John (Apr 23)
  - Re: Stanford break in Adam Shostack (Apr 23)
  - Re: Stanford break in Bennett Todd (Apr 23)
    - Re: Stanford break in Paul D. Robertson (Apr 23)
    - Re: Stanford break in m (Apr 28)
  - RE: Stanford break in Bill Royds (Apr 23)