Re: Secure Password Policy?

[Sean Earp <smearp () mac com>]

Jesper Johansson, Security Program Manager at Microsoft, has written
a very detailed and scientific analysis regarding the relative
benefits of using passwords versus passphrases, and comes to some
interesting conclusions.  It is also a good analysis of the "why'"
behind specific decisions regarding setting up a Secure Password
Policy.  I could not possibly do the article justice by paraphrasing,
so here are the links:

The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3
http://www.microsoft.com/technet/security/secnews/articles/
itproviewpoint091004.mspx

The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx

The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx

-Sean

On Jan 19, 2006, at 11:04 AM, Jarmon, Don R wrote:

> I consider a Microsoft best practice would be 15 characters for  
> users along
> with other migrating factors such as password aging, event logging/ 
> alerting,
> and lockout capabilities.  Pass phases are normally easier to use /  
> remember
> than trying to force into 6-8 characters.
>
> My D0g's N@me is Sp0t.     22 characters
> MDNiS.                  6 characters
>         
>
>
>
> -----Original Message-----
> From: Sulaiman, Wilmar [mailto:wsulaiman () siddharta co id]
> Sent: Thursday, January 19, 2006 4:12 AM
> To: pen-test () securityfocus com
> Subject: Secure Password Policy?
>
> Dear all,
>
> I noticed that "best practice" for Minimum password length policy is
> either 6 or 8 characters. I guess SANS institute considered a weak
> password if it is less than 8 characters.
>
> I would like to know where they derived the number (6 and 8  
> characters).
> Is there any documentation to backup it up why the best practice for
> minimum password length is set to 6?
>
> Wilmar Sulaiman
> Risk Advisory Services
> KPMG Siddharta Siddharta & Widjaja
> 32nd Floor, GKBI Building
> 28, Jl. Jend. Sudirman
> Jakarta 10210, Indonesia
> J : +62 (0) 21 574 2333
> Fax : +62 (0) 21 574 1777
>
> **********************************************************************
> The information in this e-mail is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this  
> e-mail
> by anyone else is unauthorized. If you have received this  
> communication in
> error, please address with the subject heading "Received in error,"  
> send to
> postmaster () siddharta co id, then delete the e-mail and destroy any  
> copies of
> it. If you are not the intended recipient, any disclosure, copying,
> distribution or any action taken in reliance on it, is prohibited  
> and may be
> unlawful. Any opinions or advice contained in this e-mail are  
> subject to the
> terms and conditions expressed in the governing Siddharta Siddharta &
> Widjaja/PT Siddharta Consulting client engagement letter. Opinions,
> conclusions and other information in this e-mail and any  
> attachments that do
> not relate to the official business of the firm are neither given nor
> endorsed by it.
>
> Siddharta Siddharta & Widjaja/PT Siddharta Consulting cannot  
> guarantee that
> e-mail communications are secure or error-free, as information  
> could be
> intercepted, corrupted, amended, lost, destroyed, arrive late or  
> incomplete,
> or contain viruses.
>
> Siddharta Siddharta & Widjaja - Registered Public Accountants,  
> registered in
> Indonesia, is a member firm of KPMG International. PT Siddharta  
> Consulting,
> a limited liability company registered in Indonesia, is a member  
> firm of
> KPMG International. KPMG International is a Swiss cooperative of  
> which all
> KPMG firms are members. KPMG International provides no professional  
> services
> to clients. Each member firm is a separate and independent legal  
> entity and
> each describes itself as such.
>
> This footnote also confirms that this e-mail message has been swept by
> MIMEsweeper for the presence of computer viruses. See  
> www.mimesweeper.com
> for more information.
> **********************************************************************
>
>
> ---------------------------------------------------------------------- 
> ------
> --
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications  
> on your
> website. Up to 75% of cyber attacks are launched on shopping carts,  
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down  
> servers are
>
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before  
> hackers
> do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ---------------------------------------------------------------------- 
> ------
> ---
>
> ---------------------------------------------------------------------- 
> --------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications  
> on your
> website. Up to 75% of cyber attacks are launched on shopping carts,  
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down  
> servers are
> futile against web application hacking. Check your website for  
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before  
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ---------------------------------------------------------------------- 
> ---------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------