Firewall Wizards mailing list archives

RE: Stanford break in

From: "Stewart, John" <johns () artesyncp com>
Date: Fri, 23 Apr 2004 10:33:10 -0500


Speaking of password choices, and studies regarding them... we're going
through some audits here (part of the Sarbanes-Oxley act), and one of the
things we're going to need to get formal about enforcing is a Password
Policy.

It going to be something like:

1 - Passwords must be changed every N days.
2 - Old passwords must not be re-used for M months.
3 - Passwords must meet the following guidelines:
        - Should not be based on well-known or easily accessible personal
information.
        - Must contain at least X characters.
        - Must contain at least Y uppercase and Z lowercase characters.
        - Must contain at least W special characters (e.g. $, %, @)
        - Must contain at least V characters that are different from those
found in the password that it is replacing.
        - Must not be dictionary (standard or slang) words, fictional
character names, or based on the company's name or location.


The values for N, M, X, Y, W, V, etc., are yet to be determined.

It has always been my opinion that forcing a new password more often than
once a year or so is counter-productive. I know how hard it is to get my DBA
to remember the new root passwords we roll out; forcing frequent changes to
the general user community I think is begging for a sticky-note problem.

However, the "conventional wisdom" in the security (and auditor) world seems
to be that frequent password changes should be required. I personally have
never seen any studies on what makes a good password policy, just people
making recommendations without any data to back it up. Most of these
recommendations seem pretty naive to me, but unless I have some hard
numbers, I'm afraid we're going to end up in a situation soon which will
cause the sticky-note proliferation.

I'm curious how others have handled this.

thanks

johnS
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Stanford break in, (continued)
- - - Re: Stanford break in Carric Dooley (Apr 23)
    - Passwords (was: Stanford break in) Ben Nagy (Apr 23)
  - Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Richard . Bertolett (Apr 22)
- RE: Stanford break in Ames, Neil (Apr 22)
  - RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
  - RE: Stanford break in Paul D. Robertson (Apr 23)
    - RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Stewart, John (Apr 23)
  - Re: Stanford break in Adam Shostack (Apr 23)
  - Re: Stanford break in Bennett Todd (Apr 23)
    - Re: Stanford break in Paul D. Robertson (Apr 23)
    - Re: Stanford break in m (Apr 28)
  - RE: Stanford break in Bill Royds (Apr 23)