Re: Minimum password requirements

[Ed Spencer <espencer () usa net>]

I'd make a few changes.... but this is based on my experiences with a variety
of organizations... my notes are below with explanations.

> I am working on implementing some minimum standards for our department. I
am
> wondering what the list thinks of these standards:
>
> a. Passwords must be changed at least every 90 days.
Priviledged accounts should be changed every 30 days (some say 45 or 60). 
This would be all admin accounts, etc.

> b. Passwords cannot be changed for at least 14 days.
I understand the reasoning for this, but I prefer a 1 day rule.  If for some
reason they want to change the password every day I'd let them.  But I would
also keep a longer history... see below.

> c. Previous passwords cannot be reused (at least the last 10).
I always remember at least the last 13.  This keeps them from using months as
the key portion of the password.  By setting this longer and allowing changes
every day you can make them have to go through 2 weeks of passwords to get
back to a 'default' if that's what they're trying to do.

> d. User ids and passwords are "owned" by an individual and must not be
> shared with others.
I'd go one step further and point out that they are responsible for all
activities under thier account.  If they give out their password and someone
uses it to surf porn and send nasty emails to the CEO it's on them.  Strong
user policy documentation here is a NECESSITY - and make them read it AND sign
it.

> e. User accounts that have not been accessed (i.e. logged in to) for 30
days
> will be deactivated.
I usually put in a note that people going on extended vacation, etc can have
their accounts suspended (made inactive) for longer periods of time if
necessary.  No reason to delete the account of someone that's out for open
heart surgery, pregnancy, or other family leave act items if they'll be
returning.  Just make arrangements to suspend the account for up to 90 days or
a time period deemed appropriate (family leave could be up to 180 days IIRC). 
This would have to be audited but even in a large company we're talking less
than 2 dozen accounts to be reviewed (make sure they're not reactivated until
the person returns).  I'd also make a note regarding non-personnel accounts
not falling under this rule.

> f. Inactive user accounts will be deleted after 14 days.
How are you differentiating between the above item and this one?  Not logged
in is inactive.  I'd go one step further and make arrangements for any account
of terminated personnel to be suspended immeadiately, the password changed,
and then give the manager 14 days to review the contents of the account
(email, files, etc) for those items they wish to keep before they are
deleted.

> The numbers I have used are what I used in the corporate world for systems
> that had no special security requirements (i.e. they did not have any
> confidential data on them). What are other people doing for this type of
> standard, if anything? Also, if you had your choice (not subject to a
> committee agreeing), what would you choose for these items? 

What I put above is typical of what I push for and am usually able to obtain
in most organizations I've worked with in the past.  Explaining the reasons
for each item when putting together documentation should keep them from being
circumvented.  The hardest part for me has been keeping the 'admins' from
breaking the rules.  It's been more than one admin that I've seen get the
password message and just use User Manager (or the equivilent) to reset it to
their 'standard' password or turn on 'password never expires' just for them. 
To prevent this sort of thing you've have to use L0phtcrack/John the
Ripper/etc to audit the passwords on admin accounts (which is a mixed
blessing) or use a 3rd party password synch tool to enforce the rules (that
they don't administer - this would be for seperation of power - aka checks and
balances).

Well, that's my .02 worth...

Ed Spencer
MCSE/MCT/CNA/A+/Network+/Security+
Network Administrator
Denali Park Resorts

"It's not paranoia when they really are out to get you."



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------