RE: Minimum password requirements

["Dave Dyer" <ddyer () ciber com>]

In my opinion, it's a carryover from the days when password complexity
wasn't a well known security mechanism (read:  NT 3.5, DOS 6.22 and possibly
before).  It was easy to enforce password expiration times, while password
complexity was much more difficult to enforce.  Plus, we've all heard of
that scenario (or movie, or whatever) where a super-secure facility changes
the door codes or password to the supercomputer once a week, and that makes
it harder for someone who knows the password to spread it to a malicious
individual in time for that individual to use it (perhaps via the
"telephone" method, or perhaps directly).  

Regardless, these are very good points.  For anything other than admin
access, I find myself agreeing with dmargoli, and asking "WHY...oh why, do
we put these poor end users through changing their passwords every 30-90
days?"  Add to that the confusion and frustration of no SSO solution and
you've got an end user changing at least ONE of their passwords every 20
days or so.  It's tough on them, and we all know it.

I suppose if password complexity is enforced strongly, it makes it much more
difficult to brute force or guess the password.  However, given enough time
to try the CFO's password (hrm... his dog's name is rover, and it's 2004...
how about r0v3r04), I guess I can see the argument for requiring the change.
Bottom line is this:

We're in the business of security.  Every step that we can possibly take to
mitigate a risk with minimal impact on daily operations, we should take.
The key is to find that golden point between impact/benefit.  (psst... the
golden point is 90 days) :)



-----Original Message-----
From: dmargoli () stwing org [mailto:dmargoli () stwing org] 
Sent: Thursday, July 22, 2004 12:40 PM
To: security-basics () securityfocus com
Subject: Re: Minimum password requirements

Steve wrote:

> We can discuss/argue all day long, but if you don't age passwords then you
> will fail almost any IT portion of an audit from an independent auditing
> organization.

Fair enough, but that doesn't really explain *why* it makes sense (or 
even if it does). If your business requires certification by an auditor 
who requires that measure, fine. Perfectly understandable. But that 
doesn't mean there's a good reason for such a practice (and I contend 
that there is not).

> Real world example, a few departed employees had not been disabled in our
> domain, their accounts were automatically disabled.  The auditors had no
> issues with that.

I never argued against disabling inactive accounts. I think that's a 
very good idea and support it completely. I argued against password ageing.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------