Minimum password requirements

From: Randall M Gunning (securityfocus_at_randygunning.com)
Date: 07/15/04

  • Next message: Brett Anderson: "Re: Securing Linux based public access terminals" 
    To: <security-basics@securityfocus.com>
Date: Thu, 15 Jul 2004 08:26:57 -0700

    I am working on implementing some minimum standards for our department. I am
    wondering what the list thinks of these standards:

    a. Passwords must be changed at least every 90 days.
    b. Passwords cannot be changed for at least 14 days.
    c. Previous passwords cannot be reused (at least the last 10).
    d. User ids and passwords are "owned" by an individual and must not be
    shared with others.
    e. User accounts that have not been accessed (i.e. logged in to) for 30 days
    will be deactivated.
    f. Inactive user accounts will be deleted after 14 days.

    The numbers I have used are what I used in the corporate world for systems
    that had no special security requirements (i.e. they did not have any
    confidential data on them). What are other people doing for this type of
    standard, if anything? Also, if you had your choice (not subject to a
    committee agreeing), what would you choose for these items?

    Please let me know if you have any questions.

    Thanks,

    Randy

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Brett Anderson: "Re: Securing Linux based public access terminals"

    Relevant Pages

    • Re: Minimum password requirements
      ... > I am working on implementing some minimum standards for our department. ... Passwords must be changed at least every 90 days. ... I deactivate accounts if users are going on hols / business trips, ...
      (Security-Basics)
    • Re: Local Workstation Admin
      ... > I would like to get a feel for suggestions on the local admin account. ... Standards for passwords depend on your situation and policies. ... I would say that field techs might know local PC administrative level ...
      (microsoft.public.security)
    • Re: Encrypted passwords
      ... >The program asks for a password file name and the file contains passwords ... >that I have approved as meeting my standards. ... way they appears in English words (some pages of Unix manual being the ...
      (FreeBSD-Security)
    • RE: passwords in asp pages
      ... An old vulnerability in IIS was that a specially crafted URL would return the script of an ASP page instead of executing it. ... Subject: passwords in asp pages ... All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Re: Domain password change policy
      ... W2003 allows you to change multiple user accounts as you need to in bulk, ... Keep in mind that when you enable the change, any passwords already older ... I would also suggest enabling audting of account logon ... You can then view the security log in Event Viewer ...
      (microsoft.public.win2000.group_policy)