Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: user default password checking tool

From: krymson () gmail com
Date: 19 Sep 2006 15:12:27 -0000
In additon to what other posters have said, I would suggest not doing your passwords the same every time. You may need 
the user's password when you build and configure the system, but once you hand over the system and account to the user, 
you should change the password to something else that does not fit some scheme.

Over time as people join your company and see what goes on, they can guess passwords of other new users and possibly 
utilize that access. In fact, it only takes one data set to guess your username/password scheme. For instance, if you 
always do [initial][initial]123, I can guess every new user account you make, especially if new employees are announced 
somewhere.

At least vary the last three digits every time, especially if your account creation and hand-off to users is a manual 
process. If you have a password complexity policy, not following your own policy will look bad to new employees. Add a 
special character at the end. :)

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: