Security Basics mailing list archives

RE: passwords

From: Vince Dang <VinceDang () HondaFCU org>
Date: Wed, 19 Feb 2003 10:14:16 -0800

Ullmic,

The answer depends on what other things you have in place.  You want to
reach a comfortable point between security and inconvenience.  90 days would
be reasonable if you enforce complex passwords with at least 8 characters
minimum.  (Both NT 4 & W2k have that feature.)  You would also set the
policy to not allow usage of the last 10 passwords.  

On the people side, you need to educate users and conduct regular audits to
make sure they don't write them on sticky notes near their stations.
Overall, it comes down to how much risk is acceptable for your company.  If
you look at security as risk management, it will help you address the
problem better.

Regards,

Vince

-----Original Message-----
From: ullmic6 [mailto:ullmic6 () web de]
Sent: Monday, February 17, 2003 11:02 AM
To: security-basics () securityfocus com
Subject: passwords


Hello all,

one of the favorite subjects in my company seems to be the strength of
passwords. We force our users to change their mail password every 90 days.
Does this make sense? Why?

--
ullmic

Current thread:

RE: passwords, (continued)
- RE: passwords Robert Sieber (Feb 19)
  - RE: passwords Jeff Harris (Feb 20)
- Re: passwords simsjs (Feb 19)
- Re: passwords multics (Feb 19)
  - Re: passwords jl (Feb 20)
- Re: passwords Ross Nelson (Feb 19)
- RE: passwords Tim V - DZ (Feb 19)
- Re: passwords eer7y3n0h (Feb 19)
- Re: passwords Chris Berry (Feb 19)
- RE: passwords Robinson, Sonja (Feb 19)
- RE: passwords Vince Dang (Feb 20)
- RE: passwords Chris Berry (Feb 20)
- Re: passwords Chris Berry (Feb 20)
- RE: passwords Shanna Daly (Feb 20)
- RE: passwords Trevor Cushen (Feb 20)
  - Re: passwords Glen Mehn (Feb 20)
  - RE: passwords Tim Heagarty (Feb 20)
- RE: passwords Högman, Lars (Feb 22)