Security Basics mailing list archives

Re: passwords

From: "simsjs" <sims () interex org>
Date: Tue, 18 Feb 2003 14:04:35 -0800

Hey ullmic,

This makes sense in the fact that I can see why you do that. But, you need to keep in mind if the user is forced to
change their password every 90 days the probability of picking what we would call a "good" password are probably slim.
They will usually pick something that is easy to remember and therefore usually easy to guess, making it a "bad"
password. The best way I have found to do it is to choose their passwords for them, and not allow them to change it.
You then change passwords every ____(blank) number of days/weeks/months whatever, and give them to the users. But you
can't allow them to write them down, and you have to tell them the password face-to-face since email would be
unacceptable. This will only work if you work for a very small company. The other option is to periodically run a
password cracker on the user names and see how many have weak passwords. My guess is that more than 50% will have weak
passwords. Then you force those users to change their passwords immediately until they meet your criteria. With this
being said, you have to make sure that you will not get in trouble for running this crack on your users, check the
security policy and make sure it is clearly stated there whether or not you have this right. If you do not have a
security policy, you should create one (these are great for covering your rear). Also notify your manager what you are
going to do and show him where the security policy says you have the right to do it. After a few times doing this, you
will find that users would rather pick something to get you off their backs than to have to listen to your lecture
every few months.

Hope this helps. And this is just my idea of how it should be done. I am sure you will hear hundreds. Each place has
it's own budget and ways of doing things. So read them all and see what works in your environment.

Jeff

*********** REPLY SEPARATOR ***********

On 2/17/2003 at 8:01 PM ullmic6 wrote:

Hello all,

one of the favorite subjects in my company seems to be the strength of
passwords. We force our users to change their mail password every 90 days.
Does this make sense? Why?

--
ullmic

Current thread:

passwords ullmic6 (Feb 18)
- RE: passwords Robert Sieber (Feb 19)
  - RE: passwords Jeff Harris (Feb 20)
- Re: passwords simsjs (Feb 19)
- Re: passwords multics (Feb 19)
  - Re: passwords jl (Feb 20)
- Re: passwords Ross Nelson (Feb 19)
- RE: passwords Tim V - DZ (Feb 19)
- <Possible follow-ups>
- Re: passwords eer7y3n0h (Feb 19)
- Re: passwords Chris Berry (Feb 19)
- RE: passwords Robinson, Sonja (Feb 19)
- RE: passwords Vince Dang (Feb 20)
- RE: passwords Chris Berry (Feb 20)
- Re: passwords Chris Berry (Feb 20)

(Thread continues...)