Security Basics mailing list archives
RE: Minimum password requirements
From: "Kenton Smith" <ksmith () chartwelltechnology com>
Date: Mon, 23 Aug 2004 12:19:45 -0600
What is your password policy? If you have one, maybe the consequences for going against the policy aren't being enforced or aren't viewed as being serious. If you don't have a formal policy, no amount of nagging is going to stop password sharing. You have to impress upon people the need to keep passwords secret and then you need to have a clear policy that includes a way of "encouraging" them (i.e. "you'll be fired if caught giving out this information") to stick to the policy. Kenton -----Original Message----- From: Mike [mailto:mike () coenholdings ie] Sent: Friday, August 20, 2004 9:39 AM To: security-basics () securityfocus com Subject: RE: Minimum password requirements Sorry if this subject has been flogged to death, but a recent example from one of my own users: User A is off work and calls in and asks colleague, user B to access her email and supplies domain password (it doesn't matter how many times you tell them not to tell anyone their password, they still do). User A has internet access for business user B does not (it is hard enough to get her to work at the best of times). User B surfs internet until user A is forced to change password after 1 week (passwords rotate every 30 days). As internet usage is only checked monthly (there are few problems) no alarm bells sound until user B tries to use User A login and is booted out for wrong user password combi and it shows up in logs. Result: User A has sheepish conversation with IT Dept on importance of not revealing passwords and ticking off from management. Regards Mike Molloy IT Supervisor --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Minimum password requirements Mike (Aug 23)
- RE: Minimum password requirements Kenton Smith (Aug 24)