Re: Seeking benchmark data on passwords

["Steve" <securityfocus () delahunty com>]

NIST has guidance on this.
NIST Special Publication 800-14, Generally Accepted Principles and Practices
for Securing Information Technology Systems
·      Specify Required Attributes. Secure password attributes such as a
minimum length of six, inclusion of special characters, not being in an
online dictionary, and being unrelated to the user ID should be specified
and required.

·      Change Frequently. Passwords should be changed periodically.

·      Train Users. Teach users not to use easy-to-guess passwords, not to
divulge their passwords, and not to store passwords where others can find
them.


FIPS (govt pub) has this guidance.
According to Federal Information Processing Standards Publication 112,
Password Usage Password System for Medium Protection Requirements:

1.       Length Range: 4-8

2.   Composition: U.C. Letters (A-Z), L.C. Letters (a-z), and digits (0-9)

3.   Lifetime: 6 months

4.   Source: System generated and user selected

5.   Ownership: Individual

6.   Distribution: Terminal and special mailer

7.   Storage: Encrypted passwords

8.   Entry: Non-printing keyboard and masked-printing keyboard

9.   Transmission: Cleartext

10. Authentication Period: Login and after 10 minutes of terminal
inactivity.


We have used this policy below.  We also encrypt the password database
(SAM).

PASSWORD GUIDANCE

Do not write down your password.

Do not share your password with other users.

Do not let other people know your password, even the IT staff.

NETWORK PASSWORD REQUIREMENTS

Passwords are automatically set to expire every 60 days, the system will
remind you that you need to change your password.

Passwords must be at least 8 characters long. Passwords may not contain your
user name or any part of your full name. Passwords must include a
combination of letters, numbers, and punctuation characters. Passwords must
contain characters from at least three of the following four classes:

description examples

Upper Case Letters A, B, C, ... Z

Lower Case Letters a, b, c, ... z

Numerals 0, 1, 2, ... 9

Non-alphanumeric special characters such as punctuation and symbols above
the numbers on the keyboard.

When changing your password the new password must be unique, not one used
previously on our system, using a variation of a previous password is an
allowable technique.



----- Original Message ----- 
From: "Chris Davis" <chrisdavis () ti com>
To: <security-basics () securityfocus com>
Sent: Tuesday, February 17, 2004 1:02 PM
Subject: Seeking benchmark data on passwords




Hello List,

We are gathering benchmark data on passwords because we want to revisit our
password policies.  Would you mind helping?  We need this by Thursday.

For security reasons, please do not email your company name if you are
concerned about that.  For the purposes of our internal work, your name will
be replaced by a generic "Services Company" or "Product Company" and a
general estimation of size (Fortune 100, 500, small kid on the block, etc..)

We're going to send the results out at the end of the week if you would like
a copy, (without the company names on them)... ;)

<<<<<< Short Survey >>>>>>>

Please send benchmark data points to answer the following questions
regarding password rules:

a) Length?

b) Complexity (alpha, numeric, special, capital, ..)?

c) How often is it changed?

d) Machine generated?

e) Can they reuse old ones?

f) Anything else (smart card, token generator, RSA SecureID)?


Thanks!
Chris

Chris Davis
IT Security Team
Texas Instruments
O: 214-567-8929

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_security-basics_040219
----------------------------------------------------------------------------