Security Basics mailing list archives

RE: Minimum password requirements

From: "Ferino Mardo" <RMardo () ALJOMAIHBEV com>
Date: Tue, 20 Jul 2004 08:46:20 +0300

Get all the technical details ironed out and then get management to be
involved with this. My experience with my previous company has always
been with this issue of users writing down their passwords (8 chars.
Minimum, combination of lower and uppercase plus at least a number) and
sticking it on their monitor. How I got around this or resolved this was
I convinced management to back me up and with that all users all
required to sign an NDA which "leases" them their username, password/s,
and everything associated with it including emails and internet access.
Failure to do so would result in termination of service and possibly a
lawsuit.

Draconian yes but it's the only way I can think of at that time.

-----Original Message-----
From: _ [mailto:nightelf () tartarus uwa edu au]
Sent: Saturday, July 17, 2004 10:53 AM
To: security-basics () securityfocus com
Subject: Re: Minimum password requirements

On Thu, Jul 15, 2004 at 08:26:57AM -0700, Randall M Gunning wrote:

a. Passwords must be changed at least every 90 days.


The only problem I have with this, is that most users will start to

pick

easy passwords, or write them down if they're forced to change so
frequently. Personally, I'm all for it but I'm interested in security,
whereas the average user wants to be inconvenienced as little as
possible.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

RE: Minimum password requirements, (continued)
- RE: Minimum password requirements Dave Dyer (Jul 21)
- RE: Minimum password requirements John Vill (Jul 19)
- RE: Minimum password requirements Robinson, Sonja (Jul 19)
  - RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements Roger A. Grimes (Jul 19)
- Re: Minimum password requirements Ed Spencer (Jul 19)
- RE: Minimum password requirements Bénoni MARTIN (Jul 19)
- RE: Minimum password requirements Hamish Stanaway (Jul 19)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
  - Re: Minimum password requirements dmargoli (Jul 22)
    - Re: Minimum password requirements Steve (Jul 23)
    - Re: Minimum password requirements dmargoli (Jul 23)
    - RE: Minimum password requirements Dave Dyer (Jul 26)
    - Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
    - RE: Minimum password requirements Ed Spencer (Jul 26)
    - RE: Minimum password requirements Andrew Aris (Jul 23)
    - RE: Minimum password requirements Jeremy Novak (Jul 26)
    - Re: Minimum password requirements Jonathan Loh (Jul 26)

(Thread continues...)