Re: Seeking benchmark data on passwords
From: aruna (arunah_at_slt.lk)
Date: 02/23/04
- Previous message: Marty: "Patch manager for IBM AIX"
- In reply to: Steve: "Re: Seeking benchmark data on passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-basics@securityfocus.com> Date: Mon, 23 Feb 2004 14:53:11 +0600
To All,
Appreciate to get a template for Privacy and Data Protection Policy
applicable for a
IT data center.
Any URL or template is useful.
Also is this document shown to customer / client on request as this may
increase confidence.
Any help is highly appreciated.
Best Regards
aruna
----- Original Message -----
From: "Steve" <securityfocus@delahunty.com>
To: "Chris Davis" <chrisdavis@ti.com>; <security-basics@securityfocus.com>
Sent: Thursday, February 19, 2004 12:58 AM
Subject: Re: Seeking benchmark data on passwords
> NIST has guidance on this.
> NIST Special Publication 800-14, Generally Accepted Principles and
Practices
> for Securing Information Technology Systems
> ˇ Specify Required Attributes. Secure password attributes such as a
> minimum length of six, inclusion of special characters, not being in an
> online dictionary, and being unrelated to the user ID should be specified
> and required.
>
> ˇ Change Frequently. Passwords should be changed periodically.
>
> ˇ Train Users. Teach users not to use easy-to-guess passwords, not to
> divulge their passwords, and not to store passwords where others can find
> them.
>
>
> FIPS (govt pub) has this guidance.
> According to Federal Information Processing Standards Publication 112,
> Password Usage Password System for Medium Protection Requirements:
>
> 1. Length Range: 4-8
>
> 2. Composition: U.C. Letters (A-Z), L.C. Letters (a-z), and digits (0-9)
>
> 3. Lifetime: 6 months
>
> 4. Source: System generated and user selected
>
> 5. Ownership: Individual
>
> 6. Distribution: Terminal and special mailer
>
> 7. Storage: Encrypted passwords
>
> 8. Entry: Non-printing keyboard and masked-printing keyboard
>
> 9. Transmission: Cleartext
>
> 10. Authentication Period: Login and after 10 minutes of terminal
> inactivity.
>
>
> We have used this policy below. We also encrypt the password database
> (SAM).
>
> PASSWORD GUIDANCE
>
> Do not write down your password.
>
> Do not share your password with other users.
>
> Do not let other people know your password, even the IT staff.
>
> NETWORK PASSWORD REQUIREMENTS
>
> Passwords are automatically set to expire every 60 days, the system will
> remind you that you need to change your password.
>
> Passwords must be at least 8 characters long. Passwords may not contain
your
> user name or any part of your full name. Passwords must include a
> combination of letters, numbers, and punctuation characters. Passwords
must
> contain characters from at least three of the following four classes:
>
> description examples
>
> Upper Case Letters A, B, C, ... Z
>
> Lower Case Letters a, b, c, ... z
>
> Numerals 0, 1, 2, ... 9
>
> Non-alphanumeric special characters such as punctuation and symbols above
> the numbers on the keyboard.
>
> When changing your password the new password must be unique, not one used
> previously on our system, using a variation of a previous password is an
> allowable technique.
>
>
>
> ----- Original Message -----
> From: "Chris Davis" <chrisdavis@ti.com>
> To: <security-basics@securityfocus.com>
> Sent: Tuesday, February 17, 2004 1:02 PM
> Subject: Seeking benchmark data on passwords
>
>
>
>
> Hello List,
>
> We are gathering benchmark data on passwords because we want to revisit
our
> password policies. Would you mind helping? We need this by Thursday.
>
> For security reasons, please do not email your company name if you are
> concerned about that. For the purposes of our internal work, your name
will
> be replaced by a generic "Services Company" or "Product Company" and a
> general estimation of size (Fortune 100, 500, small kid on the block,
etc..)
>
> We're going to send the results out at the end of the week if you would
like
> a copy, (without the company names on them)... ;)
>
> <<<<<< Short Survey >>>>>>>
>
> Please send benchmark data points to answer the following questions
> regarding password rules:
>
> a) Length?
>
> b) Complexity (alpha, numeric, special, capital, ..)?
>
> c) How often is it changed?
>
> d) Machine generated?
>
> e) Can they reuse old ones?
>
> f) Anything else (smart card, token generator, RSA SecureID)?
>
>
> Thanks!
> Chris
>
> Chris Davis
> IT Security Team
> Texas Instruments
> O: 214-567-8929
>
> --------------------------------------------------------------------------
-
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.astaro.com/php/contact/securityfocus.php
> --------------------------------------------------------------------------
-- > > > -------------------------------------------------------------------------- - > Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection > > Protect your network with the comprehensive security solution that > integrates six applications for ease of use and lower TCO. > > Firewall - Virus protection - Spam protection - URL blocking - VPN > - Wireless security. > > Download 30-day evaluation at: > http://www.securityfocus.com/sponsor/Astaro_security-basics_040219 > -------------------------------------------------------------------------- -- > > --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_security-basics_040219 ----------------------------------------------------------------------------
- Previous message: Marty: "Patch manager for IBM AIX"
- In reply to: Steve: "Re: Seeking benchmark data on passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
