Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Minimum password requirements

From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Mon, 19 Jul 2004 11:47:57 +0100
I took this to help me creating the same in my company: http://nsa1.www.conxion.com/. But of course, you have to ajust 
this to your company's requirements!
 

-----Message d'origine-----
De : Randall M Gunning [mailto:securityfocus () randygunning com] 
Envoyé : jeudi 15 juillet 2004 16:27
À : security-basics () securityfocus com
Objet : Minimum password requirements

I am working on implementing some minimum standards for our department. I am wondering what the list thinks of these 
standards:

a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and must not be shared with others.
e. User accounts that have not been accessed (i.e. logged in to) for 30 days will be deactivated.
f. Inactive user accounts will be deleted after 14 days.

The numbers I have used are what I used in the corporate world for systems that had no special security requirements 
(i.e. they did not have any confidential data on them). What are other people doing for this type of standard, if 
anything? Also, if you had your choice (not subject to a committee agreeing), what would you choose for these items? 

Please let me know if you have any questions.

Thanks,

Randy




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are 
guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the 
art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: