Security Basics mailing list archives
RE: Betr.: Minimum password requirements
From: Majed Mohammed Ayoub Al-Shodari <majeds () sedcogroup com>
Date: Fri, 23 Jul 2004 00:16:00 +0300
Hello Mr. Philip, Please read the below password requirements and try to put your company requirements depends on each function of the policy descreptions: Enforce password history Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Description Determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately when you configure the Minimum password age The Recommended Value is: - 6 Maximum password age Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Description Determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. The Recommended Value is: - 90 Minimum password age Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Description Determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 999 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, password history is set to 1 by default. The Recommended Value is: - 60 Minimum password length Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Description Determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. The Recommended Value is: - 8 Password must meet complexity requirements Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Description Determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: * Not contain all or part of the user's account name * Be at least six characters in length * Contain characters from three of the following four categories: * English uppercase characters (A through Z) * English lowercase characters (a through z) * Base 10 digits (0 through 9) * Nonalphanumeric characters (e.g., !, $, #, %) Complexity requirements are enforced when passwords are changed or created. The Recommended Value is: - Enabled Store password using reversible encryption for all users in the domain Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Description Determines whether Windows 2000 Server, Windows 2000 Professional, and Windows XP Professional store passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. The Recommended Value is: - Disabled If you need any further info, please don't hesitate to call me or drop me an email. Thank you and best regards -------------------------------------- Majed Mohammed Ayoub Tel. :(966-2) 606-6556 Ext. ( 361 ) Fax :(966-2) 606-1342 Ext. ( 1361 ) Mobile:(966-50) 33-67-69-1 Information Systems Security Administrator Technical Services Section Information Technology Department P. O. Box 4384 Jeddah 21491 Kingdom of Saudi Arabia -----Original Message----- From: Philip Wagenaar To: security-basics () securityfocus com Sent: 7/19/2004 11:22 AM Subject: Betr.: Minimum password requirements Hi, Depending on your company you might not want to delete an account after 44 days (30 + 14). Usually you want to archive account information for various reasons. But what I really miss is the strength requirements for passwords... Can passwords be blanks? Can they contain the user name or company name? Does the password have to contain non-standard characters? Numbers? Caps? All these rules won't do you any good if a user has the password ie. flower. It will take most programs to crack passwords only a few minutes to crack 'easy' passwords. So I would also make a decission about passwords strength. Met vriendelijke groet, Philip Wagenaar Junior Projectleider ICT AccoN Accountants & Adviseurs ICT Project Bureau Postbus 5090 6802 EB Arnhem The Netherlands tel. +31 (0)26-3842384 fax. +31 (0)26-3630222 mobile: +31 (0)6-25388935 MSN/E-mail: p.wagenaar () accon nl Yahoo: philip_wagenaar http://www.accon.nl
"Randall M Gunning" <securityfocus () randygunning com> 15-07-04 17:26
I am working on implementing some minimum standards for our department. I am wondering what the list thinks of these standards: a. Passwords must be changed at least every 90 days. b. Passwords cannot be changed for at least 14 days. c. Previous passwords cannot be reused (at least the last 10). d. User ids and passwords are "owned" by an individual and must not be shared with others. e. User accounts that have not been accessed (i.e. logged in to) for 30 days will be deactivated. f. Inactive user accounts will be deleted after 14 days. The numbers I have used are what I used in the corporate world for systems that had no special security requirements (i.e. they did not have any confidential data on them). What are other people doing for this type of standard, if anything? Also, if you had your choice (not subject to a committee agreeing), what would you choose for these items? Please let me know if you have any questions. Thanks, Randy ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- ################################################################## Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde. De informatie hierin is vertrouwelijk, zodat het derden niet is toegestaan om daarvan kennis te nemen of dit te verstrekken aan andere derden. Indien u dit e-mail bericht ontvangt terwijl het niet voor u bestemd is, verzoeken wij u contact op te nemen met de afzender en de informatie te verwijderen van iedere computer. Bij voorbaat dank. ================================================================== The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and contains confidential information. Any review, retransmission or other use by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Thank you. ################################################################## ######################################################################## ############# This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal ######################################################################## ############# ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Betr.: Minimum password requirements Philip Wagenaar (Jul 21)
- <Possible follow-ups>
- RE: Betr.: Minimum password requirements Majed Mohammed Ayoub Al-Shodari (Jul 23)