RE: Minimum password requirements

• Previous message: Rob Creely: "Re: Restricting users fron installing"
• In reply to: David Gillett: "RE: Minimum password requirements"
• Next in thread: David Gillett: "RE: Minimum password requirements"
• Reply: David Gillett: "RE: Minimum password requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <gillettdavid@fhda.edu>, "'Randall M Gunning'" <securityfocus@randygunning.com>, <security-basics@securityfocus.com>
Date: Mon, 19 Jul 2004 22:37:12 -0400

Dave,

Absolutely it is otherwise the user could just change his password 10 times
back to the original one. We generally use 3-5 days but 14 is fine.

If your all your systems can support it you should try incorporating ALT
characters into your policy it least for Admin and Extended access users.

______________________________________
Dave Kleiman, CISSP, CISM, CIFI, MCSE
www.SecurityBreachResponse.com

-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu]
Sent: Monday, July 19, 2004 11:47
To: 'Randall M Gunning'; security-basics@securityfocus.com
Subject: RE: Minimum password requirements

> b. Passwords cannot be changed for at least 14 days.

  With the last 10 being retained, I don't think this one is necessary. And
since it could prevent a leaked/compromised password from being changed, I'd
say it risks decreasing security rather than improving it.

  Also, I don't see anything here which specifies the length or content of
passwords, which directly determine how vulnerable they are to cracking. Or
what about not writing them on a post-it stuck to a corner of the screen?

David Gillett

> -----Original Message-----
> From: Randall M Gunning [mailto:securityfocus@randygunning.com]
> Sent: Thursday, July 15, 2004 8:27 AM
> To: security-basics@securityfocus.com
> Subject: Minimum password requirements
>
>
> I am working on implementing some minimum standards for our
> department. I am wondering what the list thinks of these standards:
>
> a. Passwords must be changed at least every 90 days.
> b. Passwords cannot be changed for at least 14 days.
> c. Previous passwords cannot be reused (at least the last 10).
> d. User ids and passwords are "owned" by an individual and must not be
> shared with others.
> e. User accounts that have not been accessed (i.e. logged in
> to) for 30 days
> will be deactivated.
> f. Inactive user accounts will be deleted after 14 days.
>
> The numbers I have used are what I used in the corporate world for
> systems that had no special security requirements (i.e. they did not
> have any confidential data on them). What are other people doing for
> this type of standard, if anything? Also, if you had your choice (not
> subject to a committee agreeing), what would you choose for these
> items?
>
> Please let me know if you have any questions.
>
> Thanks,
>
> Randy
>
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off any course! All of our class sizes are guaranteed to be 10
> students or less to facilitate one-on-one interaction with one of our
> expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art hacking
> lab.
> Master the skills
> of an Ethical Hacker to better assess the security of your
> organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------
>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Rob Creely: "Re: Restricting users fron installing"
• In reply to: David Gillett: "RE: Minimum password requirements"
• Next in thread: David Gillett: "RE: Minimum password requirements"
• Reply: David Gillett: "RE: Minimum password requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]