Security Basics mailing list archives

Re: Minimum password requirements

From: "steve" <securityfocus () delahunty com>
Date: Mon, 19 Jul 2004 13:56:03 -0400

According to NIST Special Publication 800-14, Generally Accepted Principles
and Practices for Securing Information Technology System, if passwords are
used for authentication, organizations should:
-- Specify Required Attributes. Secure password attributes such as a minimum
length of six, inclusion of special characters, not being in an online
dictionary, and being unrelated to the user ID should be specified and
required.
-- Change Frequently. Passwords should be changed periodically.

According to Federal Information Processing Standards Publication (FIPS)
112, Password Usage Password System for Medium Protection Requirements:
1.  Length Range: 4-8
2.  Composition: U.C. Letters (A-Z), L.C. Letters (a-z), and digits (0-9)
3.  Lifetime: 6 months
4.  Source: System generated and user selected
5.  Ownership: Individual
6.  Distribution: Terminal and special mailer
7.  Storage: Encrypted passwords
8.  Entry: Non-printing keyboard and masked-printing keyboard
9.  Transmission: Cleartext
10. Authentication Period: Login and after 10 minutes of terminal
inactivity.


Here is what we have used at places where I work:

Do not write down your password.
Do not share your password with other users.
Do not let other people know your password, even the IT staff.

Passwords are automatically set to expire every 60 days, the system will
remind you that you need to change your password.  Passwords must be at
least 8 characters long.  Passwords may not contain your user name or any
part of your full name.  Passwords must include a combination of letters,
numbers, and punctuation characters.  Passwords must contain characters from
at least three of the following four classes:
 description  examples
 Upper Case Letters A, B, C, ... Z
 Lower Case Letters a, b, c, ... z
 Numerals  0, 1, 2, ... 9

Non-alphanumeric special characters such as punctuation and symbols above
the numbers on the keyboard.  When changing your password the new password
must be unique, not one used previously on our system, using a variation of
a previous password is an allowable technique.





----- Original Message ----- 
From: "Randall M Gunning" <securityfocus () randygunning com>
To: <security-basics () securityfocus com>
Sent: Thursday, July 15, 2004 11:26 AM
Subject: Minimum password requirements


I am working on implementing some minimum standards for our department. I am
wondering what the list thinks of these standards:

a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and must not be
shared with others.
e. User accounts that have not been accessed (i.e. logged in to) for 30 days
will be deactivated.
f. Inactive user accounts will be deleted after 14 days.

The numbers I have used are what I used in the corporate world for systems
that had no special security requirements (i.e. they did not have any
confidential data on them). What are other people doing for this type of
standard, if anything? Also, if you had your choice (not subject to a
committee agreeing), what would you choose for these items?

Please let me know if you have any questions.

Thanks,

Randy




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Minimum password requirements Randall M Gunning (Jul 17)
- Re: Minimum password requirements Jordan Cole (stilist) (Jul 19)
- RE: Minimum password requirements Maurice Post (Jul 19)
- Re: Minimum password requirements Pete Hunt (Jul 19)
- Re: Minimum password requirements _ (Jul 19)
- RE: Minimum password requirements David Gillett (Jul 19)
  - Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 20)
  - RE: Minimum password requirements dave kleiman (Jul 20)
    - RE: Minimum password requirements David Gillett (Jul 20)
    - RE: Minimum password requirements dave kleiman (Jul 20)
- Re: Minimum password requirements steve (Jul 20)
- Re: Minimum password requirements Dan (Jul 20)
- Re: Minimum password requirements Robert Inder (Jul 20)
  - Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 21)
- RE: Minimum password requirements Dave Dyer (Jul 21)
- <Possible follow-ups>
- RE: Minimum password requirements John Vill (Jul 19)
- RE: Minimum password requirements Robinson, Sonja (Jul 19)
  - RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements Roger A. Grimes (Jul 19)
- Re: Minimum password requirements Ed Spencer (Jul 19)
- RE: Minimum password requirements Bénoni MARTIN (Jul 19)

(Thread continues...)