RE: Minimum password requirements

From: dave kleiman (dave_at_isecureu.com)
Date: 07/20/04

  • Next message: dave kleiman: "RE: Minimum password requirements"
    To: <security-basics@securityfocus.com>
    Date: Tue, 20 Jul 2004 12:14:08 -0400
    
    

    You might want to make sure "F" meets company policy to cover FMLA etc. Some
    company personnel could be on extended medical leave for longer then 30
    days.

    Minimum password length, which is "arguable", (stealing Sonja's term) should
    be set to 8 or higher. The NSA/NIST guidelines use 12, the Common Criteria
    use 8. In MSFT environment greater than 7 insures that you at least break
    into the second half of the LM hash store. But, you really want to insure
    the LM hash store of the password does not even exist. If this is a MSFT
    environment invoke the NoLMHash store on all machines.

    ______________________________________
    Dave Kleiman, CISSP, CISM, CIFI, MCSE
    www.SecurityBreachResponse.com

    -----Original Message-----
    From: Robinson, Sonja [mailto:SRobinson@HIPUSA.com]
    Sent: Monday, July 19, 2004 10:27
    To: 'Randall M Gunning'; security-basics@securityfocus.com
    Subject: RE: Minimum password requirements

    a. I'd say 30 but it's aruable.
    b. I'd say 1 but it's arguable.
    c. OK
    d. OK
    e. OK
    f. I'd give 30 on disable. It takes a while for managers to realize they
    need files from someone's share before they're deleted.
    =========== I would add
    g. pwd min length = 7
    h. no generic accounts unless documented and approved i. password
    complexity = upper, lower, character, # - 3 out of the 4.
    j. User ID Standards- first init, last name (full name or certain # of
    characters, say 8?) or somethign similar but make it consistent.

    -----Original Message-----
    From: Randall M Gunning [mailto:securityfocus@randygunning.com]
    Sent: Thursday, July 15, 2004 11:27 AM
    To: security-basics@securityfocus.com
    Subject: Minimum password requirements

    I am working on implementing some minimum standards for our department. I am
    wondering what the list thinks of these standards:

    a. Passwords must be changed at least every 90 days.
    b. Passwords cannot be changed for at least 14 days.
    c. Previous passwords cannot be reused (at least the last 10).
    d. User ids and passwords are "owned" by an individual and must not be
    shared with others.
    e. User accounts that have not been accessed (i.e. logged in to) for 30 days
    will be deactivated.
    f. Inactive user accounts will be deleted after 14 days.

    The numbers I have used are what I used in the corporate world for systems
    that had no special security requirements (i.e. they did not have any
    confidential data on them). What are other people doing for this type of
    standard, if anything? Also, if you had your choice (not subject to a
    committee agreeing), what would you choose for these items?

    Please let me know if you have any questions.

    Thanks,

    Randy

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills of an Ethical Hacker to better assess the security of your
    organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments
    to it, may contain confidential information or protected health information
    subject to privacy regulations such as the Health Insurance Portability and
    Accountability Act of 1996 (HIPAA). This transmission is intended only for
    the use of the recipient(s) named above. If you are not the intended
    recipient, or a person responsible for delivering it to the intended
    recipient, you are hereby notified that any disclosure, copying,
    distribution or use of any of the information contained in this transmission
    is STRICTLY PROHIBITED. If you have received this transmission in error,
    please immediately notify me by reply e-mail and destroy the original
    transmission in its entirety without saving it in any manner.

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills of an Ethical Hacker to better assess the security of your
    organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: dave kleiman: "RE: Minimum password requirements"

    Relevant Pages

    • RE: Cisco CSA
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Any reason not to use strcpy, strcat or scanf?
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: New Trojan?
      ... > Ethical Hacking at the InfoSec Institute. ... Attend a course taught by an expert instructor with years of ... pen testing experience in our state of the art hacking lab. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • RE: Wireless access
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... pen testing experience in our state of the art hacking lab. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • Re: antivirus for linux
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)