Firewall Wizards mailing list archives
RE: Stanford break in
From: "Stewart, John" <johns () artesyncp com>
Date: Fri, 23 Apr 2004 10:33:10 -0500
Speaking of password choices, and studies regarding them... we're going through some audits here (part of the Sarbanes-Oxley act), and one of the things we're going to need to get formal about enforcing is a Password Policy. It going to be something like: 1 - Passwords must be changed every N days. 2 - Old passwords must not be re-used for M months. 3 - Passwords must meet the following guidelines: - Should not be based on well-known or easily accessible personal information. - Must contain at least X characters. - Must contain at least Y uppercase and Z lowercase characters. - Must contain at least W special characters (e.g. $, %, @) - Must contain at least V characters that are different from those found in the password that it is replacing. - Must not be dictionary (standard or slang) words, fictional character names, or based on the company's name or location. The values for N, M, X, Y, W, V, etc., are yet to be determined. It has always been my opinion that forcing a new password more often than once a year or so is counter-productive. I know how hard it is to get my DBA to remember the new root passwords we roll out; forcing frequent changes to the general user community I think is begging for a sticky-note problem. However, the "conventional wisdom" in the security (and auditor) world seems to be that frequent password changes should be required. I personally have never seen any studies on what makes a good password policy, just people making recommendations without any data to back it up. Most of these recommendations seem pretty naive to me, but unless I have some hard numbers, I'm afraid we're going to end up in a situation soon which will cause the sticky-note proliferation. I'm curious how others have handled this. thanks johnS _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Stanford break in, (continued)
- Re: Stanford break in Carric Dooley (Apr 23)
- Passwords (was: Stanford break in) Ben Nagy (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Richard . Bertolett (Apr 22)
- RE: Stanford break in Ames, Neil (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Stewart, John (Apr 23)
- Re: Stanford break in Adam Shostack (Apr 23)
- Re: Stanford break in Bennett Todd (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 23)
- Re: Stanford break in m (Apr 28)
- RE: Stanford break in Bill Royds (Apr 23)