Re: [fw-wiz] Stanford break in

From: Adam Shostack (
Date: 04/23/04

  • Next message: Bennett Todd: "Re: [fw-wiz] Stanford break in"
    To: "Stewart, John" <>
    Date: Fri, 23 Apr 2004 14:37:28 -0400

    Your intuition is correct. Some of the problems you want to avoid are
    the march0fish, april0fish, may0fish cycle, the rapid change back to a
    previous password, etc. You also need to deal with the fact that a
    great many apps are sending passwords over the wire in the clear. The
    best password in the world doesn't beat a sniffer.

    Ross Andersons' excellent book "Security Engineering" covers these
    questions in detail, and gives you both anecdotal and formal testing


    On Fri, Apr 23, 2004 at 10:33:10AM -0500, Stewart, John wrote:
    | Speaking of password choices, and studies regarding them... we're going
    | through some audits here (part of the Sarbanes-Oxley act), and one of the
    | things we're going to need to get formal about enforcing is a Password
    | Policy.
    | It going to be something like:
    | 1 - Passwords must be changed every N days.
    | 2 - Old passwords must not be re-used for M months.
    | 3 - Passwords must meet the following guidelines:
    | - Should not be based on well-known or easily accessible personal
    | information.
    | - Must contain at least X characters.
    | - Must contain at least Y uppercase and Z lowercase characters.
    | - Must contain at least W special characters (e.g. $, %, @)
    | - Must contain at least V characters that are different from those
    | found in the password that it is replacing.
    | - Must not be dictionary (standard or slang) words, fictional
    | character names, or based on the company's name or location.
    | The values for N, M, X, Y, W, V, etc., are yet to be determined.
    | It has always been my opinion that forcing a new password more often than
    | once a year or so is counter-productive. I know how hard it is to get my DBA
    | to remember the new root passwords we roll out; forcing frequent changes to
    | the general user community I think is begging for a sticky-note problem.
    | However, the "conventional wisdom" in the security (and auditor) world seems
    | to be that frequent password changes should be required. I personally have
    | never seen any studies on what makes a good password policy, just people
    | making recommendations without any data to back it up. Most of these
    | recommendations seem pretty naive to me, but unless I have some hard
    | numbers, I'm afraid we're going to end up in a situation soon which will
    | cause the sticky-note proliferation.
    | I'm curious how others have handled this.
    | thanks
    | johnS
    | _______________________________________________
    | firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Bennett Todd: "Re: [fw-wiz] Stanford break in"