Security Basics mailing list archives
Re: Password changes more than once per day
From: bsec () cotse net
Date: Tue, 10 Feb 2004 19:28:11 -0500 (EST)
As several people have already pointed out, requiring users to wait a period of time prevents/discourages password re-use; however, by not allowing users to change their passwords immediately could also have the negative side effect of allowing weak passwords to exist on one's system. Consider the situation if while a user was entering a new password someone watched them type their new password (i.e. shoulder surfed), the account would be vulnerable until the user was allowed to change their password again. In some organizations it is considered acceptable to allow users to change their passwords immediately, but to mitigate the risk of password re-usage by setting the password history to a high (i.e. 49) and undisclosed value. Some users may be determined enough to try reset their password back to the original value, but will usually get discouraged after 10 or so attempts. Good luck, -Brett
Bob Kelley <bob_kelley_jr () yahoo com> 2/10/2004 2:32:10 PM >>>
Can someone please explain the security implications of allowing a user to change their password more than one time per day without involving an account administrator? What's the risk ? I specified the security requirement of not allowing a user to change their password more than once per day for an outsourcing project and I am being asked why. I could not remember my reasoning other than it's a requirement for microsoft security policies to ensure password history is enforced. Thanks! --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Password changes more than once per day Bob Kelley (Feb 10)
- Re: Password changes more than once per day Charlie Fraser (Feb 10)
- Re: Password changes more than once per day bauchi (Feb 10)
- RE: Password changes more than once per day Joey Peloquin (Feb 10)
- <Possible follow-ups>
- RE: Password changes more than once per day Pamela Gott (Feb 10)
- RE: Password changes more than once per day Gene LeDuc (Feb 10)
- RE: Password changes more than once per day Josh Mills (Feb 11)
- Re: Password changes more than once per day bsec (Feb 11)
- RE: Password changes more than once per day Gene LeDuc (Feb 12)