Re: On password expiration

Hi Martin,

If you are very concerned about the security of the system, simply
forcing your users to change their passwords every X number of days is
not going to be a viable security strategy. That's not to say it's
not a really good idea, it's just that some user education is in
order. The average user has no idea about information security. In
order to secure the system, if the data is as sensitive as you have
suggested, I would suggest implementing an account inactivity
expiration time, requiring an admin to re-enable accounts that have
been dormant for X numbers of days, an account lockdown policy to
prevent brute force attacks, and depending on how secure your
environment needs to be, an access log with someone assigned to audit
login attempts periodically.

In addition, you should set some expectations regarding the handling of
data as a personnel/management issue. For instance implementing an
organizational policy prohibiting employees from writing down their
passwords will mitigate the "sticky-notes on the VGA monitor"
possibility. Ultimately, some employees may choose to disregard this
instruction, but at that point you will have some accountability
options.

Best Regards,

Dan Stynchula

.

Relevant Pages

  • [NEWS] UTStarcom B-NAS 1000 and B-RAS 1000 Security Flaw
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... with known passwords. ... Issanni 1000) One account is approximately equal ... Management user with limited write privileges ...
    (Securiteam)
  • Re: Confidentiality of information in my system ..
    ... data like credit card numbers and passwords in my system, ... Once you're in the account, ... Pretty much only by watching for misuse of your information. ... Regularly changing passwords is a very basic security measure. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Call for LAMP Standardization -- Installations/User-Group Admin
    ... >> passwords, rather than real passwords, in the users table. ... Though actually we use db security, ... The install creates a new local Linux account that will be used by ... >> the PHP pages to authenticate to the database, ...
    (comp.lang.php)
  • Re: Passwords
    ... > HB> The problem with passwords is a serious problem. ... attacks, like account scanning, possible. ... pick a PIN and try it across the whole range of account numbers. ... security rules in the absence of a threat model are security theater, ...
    (comp.lang.cobol)
  • Re: Windows 2003 hacked?
    ... would be sure to change the passwords of all the administrators on the ... administrator accounts and physically secure the computer to some degree. ... Also enable auditing of logon events and account management. ... Microsoft Baseline Security Analyzer on it and refer to the link below at ...
    (microsoft.public.windows.server.security)