Security Basics mailing list archives
RE: Password Management
From: "Donald N Kenepp" <don () videon-central com>
Date: Mon, 24 Apr 2006 17:50:06 -0400
Hi All, There are several reasons the number seven had been popular in the past. Seven might have been seen as an optimal number for passwords at one point because seven is commonly held as the average number of characters people are capable of easily remembering. The truth to this I would have to yield to the scientists and our phone systems. Rather than rewrite someone else's research on password length recommendations, I'll just toss up a couple quick resources. The first is from the archives of Security Focus. Please note that the article *is* old and brief; do not stop your research at this article. http://www.securityfocus.com/infocus/1319 http://web.textfiles.com/hacking/advisory.txt The second link is to what I believe is some of the original L0phtcrack information the Security Focus article references. Again, it should merely begin to explain where the number seven is coming from. You'll have to look around for more details about your specific system setup and how to best secure it based on the authentication methods you are using. While in general the longer the password, the better it will hold up, password complexity and the encryption algorithm in use play key factors. Sincerely, Donald -----Original Message----- From: Christopher Carpenter [mailto:ccarpenter () dswa net] Sent: Friday, April 21, 2006 4:06 PM To: Jason T. Hallahan; Crawley, Jim Cc: security-basics () securityfocus com Subject: RE: Password Management That's patently false. The longer the password, the better it will hold up against brute force attacks. Length and complexity also provide a measure of protection against those using rainbow tables. Rainbow Tables (Wikipedia) http://en.wikipedia.org/wiki/Rainbow_table Password Recovery Speeds (Lockdown.co.uk) http://www.thecrypt.co.uk/lockdown/recovery_speeds.html Chris -----Original Message----- From: Jason T. Hallahan [mailto:jthallah () gmail com] Sent: Friday, April 21, 2006 10:54 AM To: Crawley, Jim Cc: security-basics () securityfocus com Subject: Re: Password Management I read somewhere that the optimal password length for a Windows system is actually 7 alphanumeric characters... can anyone verify or expand on that? On 4/20/06, Crawley, Jim <Jim.Crawley () yrbrands com> wrote:
Post-it notes on the monitor.
Really though, it's all pretty straight forward. Minimum 6-8
characters, no maximum (try to encourage pass-phrases as they're
easier
to remember and harder to guess than simple words), complexity
(combination of alphanumeric characters), 60 day expiration, 5-20
password history. No exceptions. None, at all. Nill. Nada. Zip.
Most programs/systems there's not much you can do about the
storage of the passwords in the system itself, but if you're talking
about end-users then your biggest worry will be what I said in my
first
line. The best way to avoid this is probably to try to integrate as
many systems as you can to use the same accounts.
Right now we're working on getting all our in-house and
supplier-built systems working off our Active Directory accounts
pulling
the passwords via Kerberos from our domain controllers. This however will also cause the issue of one system being compromised and they all get compromised. It's a risk/benefit write-off thing - we think the risk is worth it as the other option IS the dreaded post-it notes. -----Original Message----- From: Securi Net [mailto:securinet2004 () yahoo ca] Sent: Friday, 21 April 2006 2:44 AM To: security-basics () securityfocus com Subject: Password Management Hello list members, Does anyone know of any password management standards that are out there? I am looking at drafting an Enterprise wide strategy for managing passwords, which should encompass change, exceptions to change,
password
storage security, secure practices, categorization of accounts, etc. What I am trying to accomplish is to give a robust and resilient structure to all the best practices out there around password management. I don't expect to find a silver bullet, but would welcome any
feedback.
Regards CP __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
------------------------------------------------------------------------
- This List Sponsored by: Webroot Don't leave your confidential company and customer records
un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--
------------------------------------------------------------------------ -
This List Sponsored by: Webroot Don't leave your confidential company and customer records
un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------ --
------------------------------------------------------------------------ - This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php -------------------------------------------------------------------------- ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Re: Password Management, (continued)
- Re: Password Management Kelly Martin (Apr 21)
- Re: Password Management Turk (Apr 24)
- Re: Password Management Micheal Espinola Jr (Apr 24)
- RE: Password Management Lorteau Clement (Apr 21)
- Re: Password Management nightwatchman (Apr 21)
- Re: Password Management Bill Cullen (Apr 24)
- Re: Password Management Alexander Bolante (Apr 24)
- Re: Password Management l00t3r (Apr 24)
- RE: Password Management Christopher Carpenter (Apr 24)
- Re: Password Management Stephen John Smoogen (Apr 24)
- RE: Password Management Donald N Kenepp (Apr 25)
- RE: Password Management cv arun (Apr 25)
- Re: Password Management Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Password Management Utz, Ralph (Apr 24)
- Re: Password Management James Harless (Apr 24)
- Re: Password Management James Harless (Apr 24)
- Re: Password Management Derek Schaible (Apr 25)
- Re : Password Management frrrwww-ml (Apr 25)
- RE: Password Management Beauford, Jason (Apr 24)
- Re: Password Management PCSC Information Services (Apr 24)
- RE: Password Management Steve Armstrong (Apr 25)