Re: [Full-disclosure] Yahoo security give blogger the thumbs up


On Sun, 12 Mar 2006, SO SECURITY RESEARCH INSTITUTE wrote:

ADP
were unavailable for comment at time of this message being submitted to
Full-Disclosure mailing list. http://tinyurl.com/plqt3

This URL describes ADPs not unreasonable password policy (8-14 characters,
must contain special chars, no incrementing or decrementing chars, and no
repeats). Sure, it's annoying, but it's also good practice. At least
they haven't gone over the edge, like, oh, a large tier-1 NSP with a 6
letter name that has all the above requirements, AND:

Password shall change EVERY 90 DAYS!;
password shall not ever repeat;
password shall not be derived from any dictionary word
(!!! - this alone makes the system unusable - !!!)
no passwords like "#V3rify||M3||n0w#" because
there are three English derived words. Ever try and
actually USE such a gawd awful system?.

The KICKER though was this: the above reuqirements are for several
discrete systems (domain login, RADIUS login, VPN login, etc), and NONE of
these systems shared credentials - so you had to change them ALL every
three months, AND keep them straight!

As an industry, we need to come to terms with the concept that a bad
password kept secret is better than a great password written down on every
available surface because it changes every 3 months and has irrational
requirements.

ADP seems to have found a good middle ground policy. Revealing that
policy hurts nobody in any way - ADP/Yahoo security is not compromised by
this disclosure - so what's the point?

--
Yours,

J.A. Terranson
sysadmin@xxxxxxx
0xBD4A95BF


'The right of self defence is the first law of nature: in most governments
it has been the study of rulers to confine this right within the narrowest
limits possible. Wherever standing armies are kept up, and the right of
the people to keep and bear arms is, under any colour or pretext
whatsoever, prohibited, liberty, if not already annihilated, is on the
brink of destruction.'

St. George Tucker

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Domain Security policy
    ... The group policy does'nt apply to the user pc even thought i logoff and login ... I would suggest to design your OU structure to reflect your ... GPOs set. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Losing account identities
    ... was that I had somehow been put in an AD Policy that didn't allow my IWAM ... and IUSR accounts to "Run as Batch Jobs" on my machine. ... > remembering a login are not doing so. ... > can't find anything that fixes it past the first time I shut down and ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Exchange 5.5 server authentication problem
    ... local policy. ... administration terminal services the local log on settings are used. ... > I have a couple of extra accounts other than the administrator account ... > You do not have access to login to this session. ...
    (microsoft.public.win2000.security)
  • Re: lock out a ad account when it is not in use
    ... I was able to satisfy my supervisor that this policy is to ... BLOG -->http://blogs.dirteam.com/blogs/jorge/default.aspx ... only if the user doesn't login within these two days, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Login questions
    ... Users login into domains. ... If you want all people in Company A to see Company A resources, ... Groups, Group Policy, ... > login under the OU name company A only, and employee B to login under OU ...
    (microsoft.public.windows.server.active_directory)