Re: [fw-wiz] Stanford break in
From: Adam Shostack (adam_at_homeport.org)
To: "Stewart, John" <firstname.lastname@example.org> Date: Fri, 23 Apr 2004 14:37:28 -0400
Your intuition is correct. Some of the problems you want to avoid are
the march0fish, april0fish, may0fish cycle, the rapid change back to a
previous password, etc. You also need to deal with the fact that a
great many apps are sending passwords over the wire in the clear. The
best password in the world doesn't beat a sniffer.
Ross Andersons' excellent book "Security Engineering" covers these
questions in detail, and gives you both anecdotal and formal testing
On Fri, Apr 23, 2004 at 10:33:10AM -0500, Stewart, John wrote:
| Speaking of password choices, and studies regarding them... we're going
| through some audits here (part of the Sarbanes-Oxley act), and one of the
| things we're going to need to get formal about enforcing is a Password
| It going to be something like:
| 1 - Passwords must be changed every N days.
| 2 - Old passwords must not be re-used for M months.
| 3 - Passwords must meet the following guidelines:
| - Should not be based on well-known or easily accessible personal
| - Must contain at least X characters.
| - Must contain at least Y uppercase and Z lowercase characters.
| - Must contain at least W special characters (e.g. $, %, @)
| - Must contain at least V characters that are different from those
| found in the password that it is replacing.
| - Must not be dictionary (standard or slang) words, fictional
| character names, or based on the company's name or location.
| The values for N, M, X, Y, W, V, etc., are yet to be determined.
| It has always been my opinion that forcing a new password more often than
| once a year or so is counter-productive. I know how hard it is to get my DBA
| to remember the new root passwords we roll out; forcing frequent changes to
| the general user community I think is begging for a sticky-note problem.
| However, the "conventional wisdom" in the security (and auditor) world seems
| to be that frequent password changes should be required. I personally have
| never seen any studies on what makes a good password policy, just people
| making recommendations without any data to back it up. Most of these
| recommendations seem pretty naive to me, but unless I have some hard
| numbers, I'm afraid we're going to end up in a situation soon which will
| cause the sticky-note proliferation.
| I'm curious how others have handled this.
| firewall-wizards mailing list
firewall-wizards mailing list