Firewall Wizards mailing list archives
RE: Stanford break in
From: "Bill Royds" <broyds () rogers com>
Date: Fri, 23 Apr 2004 18:57:38 -0400
If you asked the physical security about their policy with respect to changing locks and keys, you would find a policy that generally has stood the test of tome and should be appropriate for passwords. Most companies do not change the keys on a time basis but on a user basis. When the possessor of a key leaves, the lock is changed, when any key or combination is lost or duplicated, the lock is changed. The complexity of the lock depends on the security needs of what is locked. If is the desk of an ordinary employee in an office building that is itself locked, then the lock can be quite simple. If it is the lock to the corporate safe, it is very complicated and its combination is changed regularly. Passwords are combinations to locks. You don't put Chubb safe combinations on school lockers nor the reverse. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stewart, John Sent: April 23, 2004 11:33 AM To: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Stanford break in Speaking of password choices, and studies regarding them... we're going through some audits here (part of the Sarbanes-Oxley act), and one of the things we're going to need to get formal about enforcing is a Password Policy. It going to be something like: 1 - Passwords must be changed every N days. 2 - Old passwords must not be re-used for M months. 3 - Passwords must meet the following guidelines: - Should not be based on well-known or easily accessible personal information. - Must contain at least X characters. - Must contain at least Y uppercase and Z lowercase characters. - Must contain at least W special characters (e.g. $, %, @) - Must contain at least V characters that are different from those found in the password that it is replacing. - Must not be dictionary (standard or slang) words, fictional character names, or based on the company's name or location. The values for N, M, X, Y, W, V, etc., are yet to be determined. It has always been my opinion that forcing a new password more often than once a year or so is counter-productive. I know how hard it is to get my DBA to remember the new root passwords we roll out; forcing frequent changes to the general user community I think is begging for a sticky-note problem. However, the "conventional wisdom" in the security (and auditor) world seems to be that frequent password changes should be required. I personally have never seen any studies on what makes a good password policy, just people making recommendations without any data to back it up. Most of these recommendations seem pretty naive to me, but unless I have some hard numbers, I'm afraid we're going to end up in a situation soon which will cause the sticky-note proliferation. I'm curious how others have handled this. thanks johnS _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Stanford break in, (continued)
- RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Stewart, John (Apr 23)
- Re: Stanford break in Adam Shostack (Apr 23)
- Re: Stanford break in Bennett Todd (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 23)
- Re: Stanford break in m (Apr 28)
- RE: Stanford break in Bill Royds (Apr 23)