Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Minimum password requirements

From: "Kenton Smith" <ksmith () chartwelltechnology com>
Date: Mon, 23 Aug 2004 12:19:45 -0600
What is your password policy? If you have one, maybe the consequences for
going against the policy aren't being enforced or aren't viewed as being
serious. If you don't have a formal policy, no amount of nagging is going to
stop password sharing. You have to impress upon people the need to keep
passwords secret and then you need to have a clear policy that includes a
way of "encouraging" them (i.e. "you'll be fired if caught giving out this
information") to stick to the policy.

Kenton

-----Original Message-----
From: Mike [mailto:mike () coenholdings ie] 
Sent: Friday, August 20, 2004 9:39 AM
To: security-basics () securityfocus com
Subject: RE: Minimum password requirements

Sorry if this subject has been flogged to death, but a recent example
from one of my own users:

User A is off work and calls in and asks colleague, user B to access her
email and supplies domain password (it doesn't matter how many times you
tell them not to tell anyone their password, they still do). User A has
internet access for business user B does not (it is hard enough to get
her to work at the best of times). User B surfs internet until user A is
forced to change password after 1 week (passwords rotate every 30 days).
As internet usage is only checked monthly (there are few problems) no
alarm bells sound until user B tries to use User A login and is booted
out for wrong user password combi and it shows up in logs.

Result: User A has sheepish conversation with IT Dept on importance of
not revealing passwords and ticking off from management.

Regards
Mike Molloy
IT Supervisor




---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: