Re: Password Management

---

• From: "Jason T. Hallahan" <jthallah@xxxxxxxxx>
• Date: Fri, 21 Apr 2006 13:53:48 -0400

---

I read somewhere that the optimal password length for a Windows system
is actually 7 alphanumeric characters... can anyone verify or expand
on that?

On 4/20/06, Crawley, Jim <Jim.Crawley@xxxxxxxxxxxx> wrote:

Post-it notes on the monitor.



Really though, it's all pretty straight forward. Minimum 6-8
characters, no maximum (try to encourage pass-phrases as they're easier
to remember and harder to guess than simple words), complexity
(combination of alphanumeric characters), 60 day expiration, 5-20
password history. No exceptions. None, at all. Nill. Nada. Zip.

Most programs/systems there's not much you can do about the
storage of the passwords in the system itself, but if you're talking
about end-users then your biggest worry will be what I said in my first
line. The best way to avoid this is probably to try to integrate as
many systems as you can to use the same accounts.

Right now we're working on getting all our in-house and
supplier-built systems working off our Active Directory accounts pulling
the passwords via Kerberos from our domain controllers. This however
will also cause the issue of one system being compromised and they all
get compromised. It's a risk/benefit write-off thing - we think the
risk is worth it as the other option IS the dreaded post-it notes.


-----Original Message-----
From: Securi Net [mailto:securinet2004@xxxxxxxx]
Sent: Friday, 21 April 2006 2:44 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Password Management

Hello list members,

Does anyone know of any password management standards that are out
there?

I am looking at drafting an Enterprise wide strategy for managing
passwords, which should encompass change, exceptions to change, password
storage security, secure practices, categorization of accounts, etc.

What I am trying to accomplish is to give a robust and resilient
structure to all the best practices out there around password
management.

I don't expect to find a silver bullet, but would welcome any feedback.

Regards

CP

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------
-
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

---

• Follow-Ups:
  • Re: Password Management
    • From: Turk
  • Re: Password Management
    • From: Kelly Martin

• References:
  • RE: Password Management
    • From: Crawley, Jim

• Prev by Date: Mac Forensics
• Next by Date: RE: Why attacker install irc after hacking?
• Previous by thread: RE: Password Management
• Next by thread: Re: Password Management
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Password Management ... Utz is correct when looking at LM hashes. ... is not 7 characters. ... See why so many companies trust Spy Sweeper Enterprise to ... FREE 30-Day Trial of Spy Sweeper Enterprise ... (Security-Basics) Re: Password Management ... two hashes, one that is 7 characters full, one that only has 2 ... See why so many companies trust Spy Sweeper Enterprise to ... eradicate spyware from their networks. ... FREE 30-Day Trial of Spy Sweeper Enterprise ... (Security-Basics) Re: Password Management ... is actually 7 alphanumeric characters... ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ... See why so many companies trust Spy Sweeper Enterprise to ... FREE 30-Day Trial of Spy Sweeper Enterprise ... (Security-Basics) RE: PenTest Checklist ... Penetration Test Sample Report ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ... See why so many companies trust Spy Sweeper Enterprise to ... FREE 30-Day Trial of Spy Sweeper Enterprise ... (Security-Basics) Re: Password Management ... is actually 7 alphanumeric characters... ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ... See why so many companies trust Spy Sweeper Enterprise to ... FREE 30-Day Trial of Spy Sweeper Enterprise ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2006-04