Re: Minimum password requirements

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-07-20 Robert Inder wrote:
> Obviously, if a password is thought to be compromised, it must be
> changed immediately.  
>
> But in the case where is NO reason to suspect compromise...
>
> > a. Passwords must be changed at least every 90 days.
>
> Why is changing a still-secred password a good thing?

Because you're always at risk of passwords being brute-forced, plus you
can't be sure whether a password has been cracked/leaked until it's used
by an attacker (IOW until it's too late). Changing passwords on a
regular basis will limit the time a password is of use to an attacker.

> > b. Passwords cannot be changed for at least 14 days.
>
> Why is this a good thing?  Is it somethign to do with letting users
> "flush" the "queue" of previous passwords?

Exactly.

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------