Security Basics mailing list archives

RE: Password Management

From: cv arun <cv.arun () yahoo com>
Date: Mon, 24 Apr 2006 22:16:22 -0700 (PDT)

Hi,

Microsoft recently released a link to help you choose
"good passwords"

http://www.microsoft.com/athome/security/privacy/password_checker.mspx

Regs
Arun
Paladion Networks




--- Christopher Carpenter <ccarpenter () dswa net> wrote:

That's patently false.  The longer the password, the
better it will hold
up against brute force attacks.  Length and
complexity also provide a
measure of protection against those using rainbow
tables.

Rainbow Tables (Wikipedia) 
http://en.wikipedia.org/wiki/Rainbow_table

Password Recovery Speeds (Lockdown.co.uk)

http://www.thecrypt.co.uk/lockdown/recovery_speeds.html

Chris

-----Original Message-----
From: Jason T. Hallahan [mailto:jthallah () gmail com] 
Sent: Friday, April 21, 2006 10:54 AM
To: Crawley, Jim
Cc: security-basics () securityfocus com
Subject: Re: Password Management

I read somewhere that the optimal password length
for a Windows system
is actually 7 alphanumeric characters... can anyone
verify or expand
on that?

On 4/20/06, Crawley, Jim <Jim.Crawley () yrbrands com>
wrote:

        Post-it notes on the monitor.



        Really though, it's all pretty straight

forward.  Minimum 6-8

characters, no maximum (try to encourage

pass-phrases as they're
easier

to remember and harder to guess than simple

words), complexity

(combination of alphanumeric characters), 60 day

expiration, 5-20

password history.  No exceptions.  None, at all.

Nill.  Nada.  Zip.


        Most programs/systems there's not much you

can do about the

storage of the passwords in the system itself, but

if you're talking

about end-users then your biggest worry will be

what I said in my
first

line.  The best way to avoid this is probably to

try to integrate as

many systems as you can to use the same accounts.

        Right now we're working on getting all our

in-house and

supplier-built systems working off our Active

Directory accounts
pulling

the passwords via Kerberos from our domain

controllers.  This however

will also cause the issue of one system being

compromised and they all

get compromised.  It's a risk/benefit write-off

thing - we think the

risk is worth it as the other option IS the

dreaded post-it notes.



-----Original Message-----
From: Securi Net [mailto:securinet2004 () yahoo ca]
Sent: Friday, 21 April 2006 2:44 AM
To: security-basics () securityfocus com
Subject: Password Management

Hello list members,

Does anyone know of any password management

standards that are out

there?

I am looking at drafting an Enterprise wide

strategy for managing

passwords, which should encompass change,

exceptions to change,
password

storage security, secure practices, categorization

of accounts, etc.


What I am trying to accomplish is to give a robust

and resilient

structure to all the best practices out there

around password

management.

I don't expect to find a silver bullet, but would

welcome any
feedback.


Regards

CP

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam

protection around

http://mail.yahoo.com

------------------------------------------------------------------------

-
This List Sponsored by: Webroot

Don't leave your confidential company and customer

records
un-protected.


Try Webroot's Spy Sweeper Enterprise(TM) for 30

days for FREE with no

obligation. See why so many companies trust Spy

Sweeper Enterprise to

eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php

------------------------------------------------------------------------

--

------------------------------------------------------------------------

This List Sponsored by: Webroot

Don't leave your confidential company and customer

records
un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30

days for FREE with no

obligation. See why so many companies trust Spy

Sweeper Enterprise to

eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php

------------------------------------------------------------------------

--

------------------------------------------------------------------------

-
This List Sponsored by: Webroot

Don't leave your confidential company and customer
records un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days
for FREE with no 
obligation. See why so many companies trust Spy
Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php

------------------------------------------------------------------------

--

-------------------------------------------------------------------------

This List Sponsored by: Webroot

Don't leave your confidential company and customer
records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days
for FREE with no
obligation. See why so many companies trust Spy
Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php

--------------------------------------------------------------------------



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Current thread:

Re: Password Management, (continued)
- - - Re: Password Management Turk (Apr 24)
    - Re: Password Management Micheal Espinola Jr (Apr 24)
- RE: Password Management Lorteau Clement (Apr 21)
- Re: Password Management nightwatchman (Apr 21)
  - Re: Password Management Bill Cullen (Apr 24)
  - Re: Password Management Alexander Bolante (Apr 24)
  - Re: Password Management l00t3r (Apr 24)
- RE: Password Management Christopher Carpenter (Apr 24)
  - Re: Password Management Stephen John Smoogen (Apr 24)
  - RE: Password Management Donald N Kenepp (Apr 25)
  - RE: Password Management cv arun (Apr 25)
    - Re: Password Management Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Password Management Utz, Ralph (Apr 24)
  - Re: Password Management James Harless (Apr 24)
  - Re: Password Management James Harless (Apr 24)
  - Re: Password Management Derek Schaible (Apr 25)
  - Re : Password Management frrrwww-ml (Apr 25)
- RE: Password Management Beauford, Jason (Apr 24)
- Re: Password Management PCSC Information Services (Apr 24)
- RE: Password Management Steve Armstrong (Apr 25)
- RE: Password Management Utz, Ralph (Apr 25)