Penetration Testing mailing list archives
RE: [Fwd: Re: Secure Password Policy?]
From: "dave kleiman" <dave () davekleiman com>
Date: Fri, 20 Jan 2006 00:45:29 -0500
You might want to take a look at: Perfect Passwords: http://www.syngress.com/catalog/?pid=3420 It is an excellent resource for helping to decide a password policy length. It is quick read, and not that expensive ($17 at Amazon): http://www.amazon.com/gp/product/1597490415/qid=1137735625/sr=8-1/ref=pd_bbs _1/102-4158278-9985763?n=507846&s=books&v=glance And the free version of LC5??, maybe we can keep it around for a little while: http://www.lcpsoft.com/english/comparison.htm Dave -----Original Message----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:sbradcpa () pacbell net] Sent: Thursday, January 19, 2006 13:42 To: pen-test () securityfocus com Subject: [Fwd: Re: Secure Password Policy?] -------- Original Message -------- Subject: Re: Secure Password Policy? Date: Thu, 19 Jan 2006 10:41:31 -0800 From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <sbradcpa () pacbell net> To: Sulaiman, Wilmar <wsulaiman () siddharta co id>, wsulaiman () siddharta co id References: <5F63869CFE03124796730178626BF04D02476B95 () IDJKTEXC92 id kwo rld.kpmg.com> Your password policy should not be 6.. .but as long as deemed appropriate for the risk of the device you are protecting. The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/ itproviewpoint100504.mspx The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: http://www.microsoft.com/technet/security/secnews/articles/ itproviewpoint091004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3 -- TechNet Column - Security Management - December 2004: http://www.microsoft.com/technet/community/columns/secmgmt/ sm1204.mspx If lmhashes are enabled in a firm, a 6 character password is trivial to break/sniff with LC5 [well until Symantec sunsets it anyway....] Protecting your Windows Network [Johansson/Riley] has an excellent chapter on passwords. http://www.protectyourwindowsnetwork.com/default.htm Sulaiman, Wilmar wrote: >Dear all, > >I noticed that "best practice" for Minimum password length policy is >either 6 or 8 characters. I guess SANS institute considered a weak >password if it is less than 8 characters. > >I would like to know where they derived the number (6 and 8 characters). >Is there any documentation to backup it up why the best practice for >minimum password length is set to 6? > >Wilmar Sulaiman >Risk Advisory Services >KPMG Siddharta Siddharta & Widjaja >32nd Floor, GKBI Building >28, Jl. Jend. Sudirman >Jakarta 10210, Indonesia >J : +62 (0) 21 574 2333 >Fax : +62 (0) 21 574 1777 > ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- [Fwd: Re: Secure Password Policy?] Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Jan 19)
- RE: [Fwd: Re: Secure Password Policy?] dave kleiman (Jan 21)