Security Basics mailing list archives

RE: Minimum password requirements

From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Sun, 18 Jul 2004 01:29:50 +0000

Hi there Randy,

I have a few questions, comments etc :).
First off sounds like your on the right track with your policy.

My first question is, why can the passwords not be changed for the first 14days? This presents a possible security risk in that anyone brute forcingetc in an attempt to gain control of an account would have ample time to getin. You might have a valid reason for implementing this policy but there isan angle yu may have never considered before.My second commend is that I would probably chop that 90 day period rightdown to 30-60 days, as again brute forcing is an issue.It might be an idea at the administrative end to ensure that failed loginattempts are logged :)You might have some trouble with the 10 past passwords cannot be used, asusers tend to forget lots of new passwords, therefore they WILL write thepasswords down - then someone will find it, and you will have problems ofsomeone logging on as someone other than themselves.I also don't believe that "owning" your own account is a good terminology -this implies that this is the "users" property. This also means that unlessthey are breaking a law, they can pretty much do as they wish as it is their"property". You might be better referring to it as "leased", or somethingalong those lines. You will have to fine tune all words, as it only takesone little mistake for a user to eventually find a hole in yourdocumentation and exploit it like any hacker would :).

Hopefully my points have helped you out some.

Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting, -= KoRe WoRkS =- Internet Security
Auckland
New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com

From: "Randall M Gunning" <securityfocus () randygunning com>
To: <security-basics () securityfocus com>
Subject: Minimum password requirements
Date: Thu, 15 Jul 2004 08:26:57 -0700
MIME-Version: 1.0

Received: from outgoing3.securityfocus.com ([205.206.231.27]) bymc12-f8.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sat, 17 Jul 200415:16:47 -0700Received: from lists.securityfocus.com (lists.securityfocus.com[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid14B2D236F83; Fri, 16 Jul 2004 11:45:27 -0600 (MDT)

Received: (qmail 11997 invoked from network); 15 Jul 2004 22:55:38 -0000
X-Message-Info: JGTYoYF78jGPKghMpgthzLztoA2LCBog
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Message-ID: <20040715170953.17067.qmail () mail2 securityfocus com>
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Thread-Index: AcRqgCpCALaFbXC9So+YbVJ6N+L82w==
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

X-AntiAbuse: This header was added to track abuse, please include it withany abuse report

X-AntiAbuse: Primary Hostname - snoopy.trkhosting.com
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - randygunning.com

X-Source: X-Source-Args: X-Source-Dir: Return-Path:security-basics-return-29269-koremeltdown=hotmail.com () securityfocus comX-OriginalArrivalTime: 17 Jul 2004 22:16:48.0010 (UTC)FILETIME=[C06F8EA0:01C46C4B]

I am working on implementing some minimum standards for our department. Iam

wondering what the list thinks of these standards:

a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and must not be
shared with others.

e. User accounts that have not been accessed (i.e. logged in to) for 30days

will be deactivated.
f. Inactive user accounts will be deleted after 14 days.

The numbers I have used are what I used in the corporate world for systems
that had no special security requirements (i.e. they did not have any
confidential data on them). What are other people doing for this type of
standard, if anything? Also, if you had your choice (not subject to a
committee agreeing), what would you choose for these items?

Please let me know if you have any questions.

Thanks,

Randy




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field

pen testing experience in our state of the art hacking lab. Master theskills

of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


_________________________________________________________________

Express yourself instantly with MSN Messenger! Download today - it's FREE!http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate one-on-one interaction with one of our expert instructors.Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------

Current thread:

Re: Minimum password requirements, (continued)
- Re: Minimum password requirements Dan (Jul 20)
- Re: Minimum password requirements Robert Inder (Jul 20)
  - Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 21)
- RE: Minimum password requirements Dave Dyer (Jul 21)
- RE: Minimum password requirements John Vill (Jul 19)
- RE: Minimum password requirements Robinson, Sonja (Jul 19)
  - RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements Roger A. Grimes (Jul 19)
- Re: Minimum password requirements Ed Spencer (Jul 19)
- RE: Minimum password requirements Bénoni MARTIN (Jul 19)
- RE: Minimum password requirements Hamish Stanaway (Jul 19)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
  - Re: Minimum password requirements dmargoli (Jul 22)
    - Re: Minimum password requirements Steve (Jul 23)
    - Re: Minimum password requirements dmargoli (Jul 23)
    - RE: Minimum password requirements Dave Dyer (Jul 26)
    - Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
    - RE: Minimum password requirements Ed Spencer (Jul 26)

(Thread continues...)