RE: Minimum password requirements

["Dave Dyer" <ddyer () ciber com>]

Hiya Randy,
Here are the requirements I like to use for clients who aren't held to
specific guidelines, but want inherent security in their password complexity
rules.

.       Minimum of 6 characters
.       At least 1 alpha
.       At least 1 numeric
.       Maximum age of 35 days
.       Password cannot be the same as the user id or any iteration of the
user name or name
.       No more than 3 characters repeated consecutively.
.       Should not be used for 10 iterations (password history)
.       Minimum password age of 3 days

Your password complexity restrictions look good, but 14 days for minimum
password age is too long.  The goal of the minimum age is to keep users from
entering 10 junk passwords in a row so they can continue to use their
favorite password.  In my opinion, anyone who wants to enter a different
junk password every day for 30 days so they can use their favorite password
for 90 is more than welcome to it.

If it's an environment that requires slightly higher security and has some
computer-saavy people who understand not to put their passwords on a sticky
note, I'd suggest the following:

Minimum password length of 8 characters
Add a special character requirement
Add a mixed case requirement

Hope that helps.

Dave


-----Original Message-----
From: Randall M Gunning [mailto:securityfocus () randygunning com] 
Sent: Thursday, July 15, 2004 9:27 AM
To: security-basics () securityfocus com
Subject: Minimum password requirements

I am working on implementing some minimum standards for our department. I am
wondering what the list thinks of these standards:

a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and must not be
shared with others.
e. User accounts that have not been accessed (i.e. logged in to) for 30 days
will be deactivated.
f. Inactive user accounts will be deleted after 14 days.

The numbers I have used are what I used in the corporate world for systems
that had no special security requirements (i.e. they did not have any
confidential data on them). What are other people doing for this type of
standard, if anything? Also, if you had your choice (not subject to a
committee agreeing), what would you choose for these items? 

Please let me know if you have any questions.

Thanks,

Randy




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------