Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Stanford break in

From: "Bill Royds" <broyds () rogers com>
Date: Fri, 23 Apr 2004 18:57:38 -0400
If you asked the physical security about their policy with respect to
changing locks and keys, you would find a policy that generally has stood
the test of tome and should be appropriate for passwords.
  Most companies do not change the keys on a time basis but on a user basis.
When the possessor of a key leaves, the lock is changed, when any key or
combination is lost or duplicated, the lock is changed. The complexity of
the lock depends on the security needs of what is locked.  If is the desk of
an ordinary employee in an office building that is itself locked, then the
lock can be quite simple. If it is the lock to the corporate safe, it is
very complicated and its combination is changed regularly. Passwords are
combinations to locks. You don't put Chubb safe combinations on school
lockers nor the reverse.

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stewart,
John
Sent: April 23, 2004 11:33 AM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Stanford break in


Speaking of password choices, and studies regarding them... we're going
through some audits here (part of the Sarbanes-Oxley act), and one of the
things we're going to need to get formal about enforcing is a Password
Policy.

It going to be something like:

1 - Passwords must be changed every N days.
2 - Old passwords must not be re-used for M months.
3 - Passwords must meet the following guidelines:
        - Should not be based on well-known or easily accessible personal
information.
        - Must contain at least X characters.
        - Must contain at least Y uppercase and Z lowercase characters.
        - Must contain at least W special characters (e.g. $, %, @)
        - Must contain at least V characters that are different from those
found in the password that it is replacing.
        - Must not be dictionary (standard or slang) words, fictional
character names, or based on the company's name or location.


The values for N, M, X, Y, W, V, etc., are yet to be determined.

It has always been my opinion that forcing a new password more often than
once a year or so is counter-productive. I know how hard it is to get my DBA
to remember the new root passwords we roll out; forcing frequent changes to
the general user community I think is begging for a sticky-note problem.

However, the "conventional wisdom" in the security (and auditor) world seems
to be that frequent password changes should be required. I personally have
never seen any studies on what makes a good password policy, just people
making recommendations without any data to back it up. Most of these
recommendations seem pretty naive to me, but unless I have some hard
numbers, I'm afraid we're going to end up in a situation soon which will
cause the sticky-note proliferation.

I'm curious how others have handled this.

thanks

johnS
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: