RE: passwords

From: Trevor Cushen (Trevor.Cushen@sysnet.ie)
Date: 02/20/03

  • Next message: Kenneth Hauklien: "User process limitations.."
    Date: Thu, 20 Feb 2003 09:11:12 -0000
    From: "Trevor Cushen" <Trevor.Cushen@sysnet.ie>
    To: <security-basics@securityfocus.com>
    
    

    I had not added anything to this discussion because as you have said it
    can be talked to death. But yesterday I saw an article about passwords
    and thought I would pass it on because it really is a daring stand the
    author has taken. But I saw the article in hard copy and when I went to
    search for it I found several articles under the same heading

    "PASSWORDS ARE PASSE"

    All these articles talk about biometrics and pki etc, but essentially
    various forms of phasing out the user entered password. I would be
    interested in what this forums general concensis is on that line of
    thinking.

    This is not my line of thinking nor do I have a project in the working
    to provide more details on a possible implementation or environment,
    number of users, costings etc. It is the concept that I am interested
    in getting feedback on just out of curiosity.

    Many thanks

    Trevor Cushen
    Sysnet Ltd

    www.sysnet.ie
    Tel: +353 1 2983000
    Fax: +353 1 2960499

    -----Original Message-----
    From: Robinson, Sonja [mailto:SRobinson@HIPUSA.com]
    Sent: 19 February 2003 14:28
    To: 'ullmic6'; 'security-basics@securityfocus.com'
    Subject: RE: passwords

    That's it??? Arguments can be made for changing passwords from between
    30
    and 90 days. Each argument has valid points which I will not elaborate
    on again since it's been beaten to death. 30 to 90 is fine but you need
    to make sure there is complexity involved. The harder the complexity
    the more valid the argument for 90 days so users won't be tempted to
    write it down. I wouldn't exceed more than 90 ever but I prefer 30. A
    combination of Capital and lowercase letters, Numbers and Symbols.
    Require 3 out of the 4 minimum. Make a minimum length of 7. If you are
    using LANMan make it 7 not 8 since 7 is harder to crack for LANMan
    other reasons that I also won't go into. You should have a password
    history as well. I prefer 12 so that people can slightly change the
    password to be Passw0rd1, Passw0rd2, .... Run enforcement onthese
    policies and run password checkers to verify.

    IMHO, 30 days is best. I've had 30 days with these rules and users are
    fine. At first people tend to kick and scream but if you reduce the
    times in increments of say 15 days every 3 months people don't notice
    the difference.

    Good Password - N0t*N0w, Abs0lutely%,
    Bad Password - tuxedo, names, birthdates, License plates, names, pets,
    anything in a dictionary (incl foreign languages, klingon, etc.),
    anything identifiable or guessable about a person, phone #'s, etc.

    > -----Original Message-----
    > From: ullmic6 [mailto:ullmic6@web.de]
    > Sent: Monday, February 17, 2003 2:02 PM
    > To: security-basics@securityfocus.com
    > Subject: passwords
    >
    >
    > Hello all,
    >
    > one of the favorite subjects in my company seems to be the
    > strength of passwords. We force our users to change their
    > mail password every 90 days. Does this make sense? Why?
    >
    > --
    > ullmic
    >
    >
    >

    **********************************************************************
    This message is a PRIVILEGED AND CONFIDENTIAL communication, and is
    intended only for the individual(s) named herein or others specifically
    authorized to receive the communication. If you are not the intended
    recipient, you are hereby notified that any dissemination, distribution
    or copying of this communication is strictly prohibited. If you have
    received this communication in error, please notify the sender of the
    error immediately, do not read or use the communication in any manner,
    destroy all copies, and delete it from your system if the communication
    was sent via email.

    **********************************************************************

    **************************************************************************************

    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.

    If you have received this message in error please notify SYSNET Ltd., at
    telephone no: +353-1-2983000 or postmaster@sysnet.ie

    **************************************************************************************



    Relevant Pages

    • OT: Apache Auth help needed Summary
      ... solution is to choose a different encryption method for the passwords ... the intended recipient, you are hereby notified that any dissemination of ... this communication is strictly prohibited. ... attachments and notify us immediately. ...
      (SunManagers)
    • Re: A Cyber-Attack on an American City
      ... I have amateur radio to fall back on for communication, ... stockpile of gasoline and cash. ... If passwords are all you have, then you need to have damn good ones. ... For access to my work network, I use an RSA SecureID token. ...
      (alt.2600)
    • Re: Suggestions For The Passing of Passphrases
      ... Such as never send passwords on the ... >> communication which includes the login or password. ...
      (sci.crypt)
    • Re: Microform developments
      ... How many of those of us who rely on online storage for genealogy actually ... have a plan for data survival after death? ... Are passwords deposited with your ... remain accessible for many years to come) to store passwords in an ...
      (soc.genealogy.britain)
    • Re: Microform developments
      ... How many of those of us who rely on online storage for genealogy ... Are passwords deposited ... way to have this information secured and available upon my death, ... Make sure that the intended inheritor runs the same kind of PC as ...
      (soc.genealogy.britain)