RE: Betr.: Minimum password requirements

[Majed Mohammed Ayoub Al-Shodari <majeds () sedcogroup com>]

Hello Mr. Philip,

Please read the below password requirements and try to put your company
requirements depends on each function of the policy descreptions:

Enforce password history
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
Description
Determines the number of unique new passwords that have to be associated
with a user account before an old password can be reused. The value must be
between 0 and 24 passwords.
This policy enables administrators to enhance security by ensuring that old
passwords are not reused continually.
To maintain the effectiveness of the password history, do not allow
passwords to be changed immediately when you configure the Minimum password
age
The Recommended Value is: - 6

Maximum password age
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
Description
Determines the period of time (in days) that a password can be used before
the system requires the user to change it. You can set passwords to expire
after a number of days between 1 and 999, or you can specify that passwords
never expire by setting the number of days to 0.
The Recommended Value is: - 90

Minimum password age
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
Description
Determines the period of time (in days) that a password must be used before
the user can change it. You can set a value between 1 and 999 days, or you
can allow changes immediately by setting the number of days to 0. 
The minimum password age must be less than the Maximum password age
Configure the minimum password age to be more than 0 if you want Enforce
password history to be effective. Without a minimum password age, users can
cycle through passwords repeatedly until they get to an old favorite. The
default setting does not follow this recommendation, so that an
administrator can specify a password for a user and then require the user to
change the administrator-defined password when the user logs on. If the
password history is set to 0, the user does not have to choose a new
password. For this reason, password history is set to 1 by default.
The Recommended Value is: - 60

Minimum password length
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
Description
Determines the least number of characters that a password for a user account
may contain. You can set a value of between 1 and 14 characters, or you can
establish that no password is required by setting the number of characters
to 0.
The Recommended Value is: - 8



Password must meet complexity requirements 
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
Description
Determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum
requirements:
*       Not contain all or part of the user's account name 
*       Be at least six characters in length 
*       Contain characters from three of the following four categories: 
*       English uppercase characters (A through Z) 
*       English lowercase characters (a through z) 
*       Base 10 digits (0 through 9) 
*       Nonalphanumeric characters (e.g., !, $, #, %) 
Complexity requirements are enforced when passwords are changed or created.
The Recommended Value is: - Enabled

Store password using reversible encryption for all users in the domain
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
Description
Determines whether Windows 2000 Server, Windows 2000 Professional, and
Windows XP Professional store passwords using reversible encryption.
This policy provides support for applications that use protocols that
require knowledge of the user's password for authentication purposes.
Storing passwords using reversible encryption is essentially the same as
storing plaintext versions of the passwords. For this reason, this policy
should never be enabled unless application requirements outweigh the need to
protect password information.
The Recommended Value is: - Disabled

If you need any further info, please don't hesitate to call me or drop me an
email.

            Thank you and best regards
--------------------------------------
Majed Mohammed Ayoub
Tel.    :(966-2) 606-6556 Ext. ( 361 )
Fax    :(966-2) 606-1342 Ext. ( 1361 )
Mobile:(966-50) 33-67-69-1
Information Systems Security Administrator
Technical Services Section
Information Technology Department
P. O. Box 4384 Jeddah 21491
Kingdom of Saudi Arabia


-----Original Message-----
From: Philip Wagenaar
To: security-basics () securityfocus com
Sent: 7/19/2004 11:22 AM
Subject: Betr.: Minimum password requirements

Hi,

Depending on your company you might not want to delete an account after
44 days (30 + 14). Usually you want to archive account information for
various reasons.

But what I really miss is the strength requirements for passwords... Can
passwords be blanks? Can they contain the user name or company name?
Does the password have to contain non-standard characters? Numbers?
Caps?

All these rules won't do you any good if a user has the password ie.
flower. It will take most programs to crack passwords only a few minutes
to crack 'easy' passwords.

So I would also make a decission about passwords strength.

Met vriendelijke groet,

Philip Wagenaar
Junior Projectleider ICT

AccoN Accountants & Adviseurs
ICT Project Bureau
Postbus 5090
6802 EB Arnhem
The Netherlands

tel. +31 (0)26-3842384
fax. +31 (0)26-3630222
mobile: +31 (0)6-25388935
MSN/E-mail: p.wagenaar () accon nl
Yahoo: philip_wagenaar
http://www.accon.nl


> > > "Randall M Gunning" <securityfocus () randygunning com> 15-07-04 17:26
I am working on implementing some minimum standards for our department.
I am
wondering what the list thinks of these standards:

a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and must not be
shared with others.
e. User accounts that have not been accessed (i.e. logged in to) for 30
days
will be deactivated.
f. Inactive user accounts will be deleted after 14 days.

The numbers I have used are what I used in the corporate world for
systems
that had no special security requirements (i.e. they did not have any
confidential data on them). What are other people doing for this type of
standard, if anything? Also, if you had your choice (not subject to a
committee agreeing), what would you choose for these items? 

Please let me know if you have any questions.

Thanks,

Randy




------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
------------------------------------------------------------------------
----


##################################################################

Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde.
De informatie hierin is vertrouwelijk, zodat het derden niet is
toegestaan om daarvan kennis te nemen of dit te verstrekken aan
andere derden. Indien u dit e-mail bericht ontvangt terwijl het
niet voor u bestemd is, verzoeken wij u contact op te nemen met
de afzender en de informatie te verwijderen van iedere computer.
Bij voorbaat dank. 

==================================================================

The information transmitted in this e-mail is intended only for
the person or entity to which it is addressed and contains
confidential information. Any review, retransmission or other
use by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the
sender and delete the material from any computer. Thank you. 

##################################################################

########################################################################
#############
This e-mail message has been scanned for Viruses and Content and cleared

by MailMarshal
########################################################################
#############

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------