Re: On password expiration

Hi Martin,

If you are very concerned about the security of the system, simply
forcing your users to change their passwords every X number of days is
not going to be a viable security strategy. That's not to say it's
not a really good idea, it's just that some user education is in
order. The average user has no idea about information security. In
order to secure the system, if the data is as sensitive as you have
suggested, I would suggest implementing an account inactivity
expiration time, requiring an admin to re-enable accounts that have
been dormant for X numbers of days, an account lockdown policy to
prevent brute force attacks, and depending on how secure your
environment needs to be, an access log with someone assigned to audit
login attempts periodically.

In addition, you should set some expectations regarding the handling of
data as a personnel/management issue. For instance implementing an
organizational policy prohibiting employees from writing down their
passwords will mitigate the "sticky-notes on the VGA monitor"
possibility. Ultimately, some employees may choose to disregard this
instruction, but at that point you will have some accountability

Best Regards,

Dan Stynchula


Relevant Pages

  • [NEWS] UTStarcom B-NAS 1000 and B-RAS 1000 Security Flaw
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: ... with known passwords. ... Issanni 1000) One account is approximately equal ... Management user with limited write privileges ...
  • Re: How do I point a mail client at Microsoft outlook?
    ... Is that any more likely than /them/ breaking into your mail account? ... fetchmailrc file with passwords in it. ... an additional security "protocol" can hurt. ...
  • Re: Confidentiality of information in my system ..
    ... data like credit card numbers and passwords in my system, ... Once you're in the account, ... Pretty much only by watching for misuse of your information. ... Regularly changing passwords is a very basic security measure. ...
  • Re: Call for LAMP Standardization -- Installations/User-Group Admin
    ... >> passwords, rather than real passwords, in the users table. ... Though actually we use db security, ... The install creates a new local Linux account that will be used by ... >> the PHP pages to authenticate to the database, ...
  • Risks Digest 25.73
    ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ...