Re: Password Management

[Turk <theturkman86 () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason-
   I don't know if this is still true but the 7 character password has
to due with windows, or the cracking programs splitting the password
hash into two parts of 7 each.  I you have over seven  on half comes out
short and is quicker to crack.  After that the crack can use the
characters from the shorter half and see if they show up in the longer
half of the hash.
- --Turk
Jason T. Hallahan wrote:
> I read somewhere that the optimal password length for a Windows system
> is actually 7 alphanumeric characters... can anyone verify or expand
> on that?
>
> On 4/20/06, Crawley, Jim <Jim.Crawley () yrbrands com> wrote:
> >         Post-it notes on the monitor.
> >
> >
> >
> >         Really though, it's all pretty straight forward.  Minimum 6-8
> > characters, no maximum (try to encourage pass-phrases as they're easier
> > to remember and harder to guess than simple words), complexity
> > (combination of alphanumeric characters), 60 day expiration, 5-20
> > password history.  No exceptions.  None, at all.  Nill.  Nada.  Zip.
> >
> >         Most programs/systems there's not much you can do about the
> > storage of the passwords in the system itself, but if you're talking
> > about end-users then your biggest worry will be what I said in my first
> > line.  The best way to avoid this is probably to try to integrate as
> > many systems as you can to use the same accounts.
> >
> >         Right now we're working on getting all our in-house and
> > supplier-built systems working off our Active Directory accounts pulling
> > the passwords via Kerberos from our domain controllers.  This however
> > will also cause the issue of one system being compromised and they all
> > get compromised.  It's a risk/benefit write-off thing - we think the
> > risk is worth it as the other option IS the dreaded post-it notes.
> >
> >
> > -----Original Message-----
> > From: Securi Net [mailto:securinet2004 () yahoo ca]
> > Sent: Friday, 21 April 2006 2:44 AM
> > To: security-basics () securityfocus com
> > Subject: Password Management
> >
> > Hello list members,
> >
> > Does anyone know of any password management standards that are out
> > there?
> >
> > I am looking at drafting an Enterprise wide strategy for managing
> > passwords, which should encompass change, exceptions to change, password
> > storage security, secure practices, categorization of accounts, etc.
> >
> > What I am trying to accomplish is to give a robust and resilient
> > structure to all the best practices out there around password
> > management.
> >
> > I don't expect to find a silver bullet, but would welcome any feedback.
> >
> > Regards
> >
> > CP
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ------------------------------------------------------------------------
> > -
> > This List Sponsored by: Webroot
> >
> > Don't leave your confidential company and customer records un-protected.
> >
> > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > eradicate spyware from their networks.
> > FREE 30-Day Trial of Spy Sweeper Enterprise
> >
> > http://www.webroot.com/forms/enterprise_lead.php
> > ------------------------------------------------------------------------
> > --
> >
> >
> > -------------------------------------------------------------------------
> > This List Sponsored by: Webroot
> >
> > Don't leave your confidential company and customer records un-protected.
> > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > eradicate spyware from their networks.
> > FREE 30-Day Trial of Spy Sweeper Enterprise
> >
> > http://www.webroot.com/forms/enterprise_lead.php
> > --------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un-protected. 
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
> obligation. See why so many companies trust Spy Sweeper Enterprise to 
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> --------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFESYyCDRGHGQkc9WkRAmPCAKC5uPRj5NHuI5akxKOufC4irGQqMgCeNM+U
ZXpakGzoxtCXw4OkC17ghes=
=uIQM
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------