Security Basics mailing list archives
RE: Minimum password requirements
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sun, 18 Jul 2004 08:37:17 -0400
Without knowing the value of your data and systems, the below recommendations are inline with many people's/company's suggestions. I don't see the most important recommendations, however. You need to add a minimum length and complexity requirements. The inactive account setting of 14 days may be a little too strict. Consider disabling accounts as the first measure of inactivity, instead of deleting them. Also, consider do you back up the inactive system account's files and email before deleting, or do you just delete? If you have Windows systems, you should have the password a minimum length of 6-8, although many security experts would recommend a minimum length of 8 or even possibly 15 (passwords over 15 characters long disable LM password hashing). Also, use group policy or registry edits to disable LM password hashing and force NTLMv2 authentication. In Windows, you also need to create a policy for dealing with password changes of service accounts. Service account passwords must be changed in the Services console and in Active Directory/User Manager. Lastly, think about how you will determine inactive accounts. In Windows, you need Windows Server 2003 domain controllers and be at Windows 2003 domain functional level to be able trust the last logged on timestamp. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+ *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress) ************************************************************************ **** -----Original Message----- From: Randall M Gunning [mailto:securityfocus () randygunning com] Sent: Thursday, July 15, 2004 11:27 AM To: security-basics () securityfocus com Subject: Minimum password requirements I am working on implementing some minimum standards for our department. I am wondering what the list thinks of these standards: a. Passwords must be changed at least every 90 days. b. Passwords cannot be changed for at least 14 days. c. Previous passwords cannot be reused (at least the last 10). d. User ids and passwords are "owned" by an individual and must not be shared with others. e. User accounts that have not been accessed (i.e. logged in to) for 30 days will be deactivated. f. Inactive user accounts will be deleted after 14 days. The numbers I have used are what I used in the corporate world for systems that had no special security requirements (i.e. they did not have any confidential data on them). What are other people doing for this type of standard, if anything? Also, if you had your choice (not subject to a committee agreeing), what would you choose for these items? Please let me know if you have any questions. Thanks, Randy ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Minimum password requirements, (continued)
- RE: Minimum password requirements David Gillett (Jul 20)
- RE: Minimum password requirements dave kleiman (Jul 20)
- Re: Minimum password requirements steve (Jul 20)
- Re: Minimum password requirements Dan (Jul 20)
- Re: Minimum password requirements Robert Inder (Jul 20)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 21)
- RE: Minimum password requirements Dave Dyer (Jul 21)
- RE: Minimum password requirements John Vill (Jul 19)
- RE: Minimum password requirements Robinson, Sonja (Jul 19)
- RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements Roger A. Grimes (Jul 19)
- Re: Minimum password requirements Ed Spencer (Jul 19)
- RE: Minimum password requirements BĂ©noni MARTIN (Jul 19)
- RE: Minimum password requirements Hamish Stanaway (Jul 19)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements dmargoli (Jul 22)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 22)