Re: Password Complexity and Aging

[Chad McDonald <Mcdonald () AUDITS GA GOV>]

I don't see anyone making a distinction between the IT resources involved.  Perhaps a two-tiered password change policy 
makes more sense.  I think that it could be argued that there is a larger problem if server/system passwords aren't 
changed on a reasonable schedule versus the risk involved with a faculty or computer lab system.  Is it more palatable 
to require a frequent change for critical or sensitive systems and a less frequent (once per semester?) change for all 
other systems?  I think if you toss in account lockout after X number of failed login attempts and complex (8 
characters, 1 upper case, 1 special, 1 number) passwords across all systems, you can pretty effectively mitigate most 
brute force attacks.

I suppose I should toss in a disclaimer that this is my personal opinion and not in any way reflective of opinions of 
my employer.

Sincerely, 
Chad McDonald, CISSP, CISA, PMP
Information Systems Auditor
 
State of Georgia
Department of Audits and Accounts
Information Systems Audit and Assurance Services Division
270 Washington St., SW
Room 1-156
Atlanta, Georgia 30334-8400
Phone:  404.651.8754
Fax:  404.657-5539



Georgia Audits made the following annotations on Tue Apr 14 2009 07:18:39
---------------------------------------------------------------------
 
NOTICE: This e-mail (including attachments) may contain information that is confidential and legally privileged. If you 
are not the intended recipient, you are hereby notified that you have received this document in error and that any 
review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this in 
error, please notify the sender immediately by replying to this message and then deleting it.  
Thank you for your cooperation.
---------------------------------------------------------------------