RE: Minimum password requirements

["David Gillett" <gillettdavid () fhda edu>]

  Well, I've known users who would change their password and then
immediately change it back, if you let them, but never one who was
willing to change it TEN times to get back to their old password.
I'd think anyone who was that desperate would be dissuaded if the
minimum time between changes was 30 minutes or so -- 10 days still
strikes me as both overkill and *insecure*.

Dave Gillett


> -----Original Message-----
> From: dave kleiman [mailto:dave () isecureu com]
> Sent: Monday, July 19, 2004 7:37 PM
> To: gillettdavid () fhda edu; 'Randall M Gunning';
> security-basics () securityfocus com
> Subject: RE: Minimum password requirements
>
>
> Dave,
>
> Absolutely it is otherwise the user could just change his
> password 10 times
> back to the original one. We generally use 3-5 days but 14 is fine.
>
> If your all your systems can support it you should try
> incorporating ALT
> characters into your policy it least for Admin and Extended
> access users.
>
>
> ______________________________________
> Dave Kleiman, CISSP, CISM, CIFI, MCSE
> www.SecurityBreachResponse.com
>
>
> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu]
> Sent: Monday, July 19, 2004 11:47
> To: 'Randall M Gunning'; security-basics () securityfocus com
> Subject: RE: Minimum password requirements
>
> > b. Passwords cannot be changed for at least 14 days.
>
>   With the last 10 being retained, I don't think this one is
> necessary.  And
> since it could prevent a leaked/compromised password from
> being changed, I'd
> say it risks decreasing security rather than improving it.
>
>   Also, I don't see anything here which specifies the length
> or content of
> passwords, which directly determine how vulnerable they are
> to cracking.  Or
> what about not writing them on a post-it stuck to a corner of
> the screen?
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Randall M Gunning [mailto:securityfocus () randygunning com]
> > Sent: Thursday, July 15, 2004 8:27 AM
> > To: security-basics () securityfocus com
> > Subject: Minimum password requirements
> >
> >
> > I am working on implementing some minimum standards for our
> > department. I am wondering what the list thinks of these standards:
> >
> > a. Passwords must be changed at least every 90 days.
> > b. Passwords cannot be changed for at least 14 days.
> > c. Previous passwords cannot be reused (at least the last 10).
> > d. User ids and passwords are "owned" by an individual and
> must not be
> > shared with others.
> > e. User accounts that have not been accessed (i.e. logged in
> > to) for 30 days
> > will be deactivated.
> > f. Inactive user accounts will be deleted after 14 days.
> >
> > The numbers I have used are what I used in the corporate world for
> > systems that had no special security requirements (i.e.
> they did not
> > have any confidential data on them). What are other people
> doing for
> > this type of standard, if anything? Also, if you had your
> choice (not
> > subject to a committee agreeing), what would you choose for these
> > items?
> >
> > Please let me know if you have any questions.
> >
> > Thanks,
> >
> > Randy
> >
> >
> >
> >
> > --------------------------------------------------------------
> > -------------
> > Ethical Hacking at the InfoSec Institute. Mention this ad
> and get $545
> > off any course! All of our class sizes are guaranteed to be 10
> > students or less to facilitate one-on-one interaction with
> one of our
> > expert instructors.
> > Attend a course taught by an expert instructor with years of
> > in-the-field pen testing experience in our state of the art hacking
> > lab.
> > Master the skills
> > of an Ethical Hacker to better assess the security of your
> > organization.
> > Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------