Security Basics mailing list archives

RE: Minimum password requirements

From: "dave kleiman" <dave () isecureu com>
Date: Tue, 20 Jul 2004 12:45:02 -0400

Well one thing we can all agree on is the ""arugability"" (yes I know it is
not a real word) of every aspect of this subject.

Once again I will point to the recommendations by CC and NSA/NIST all of
which are listed below. I do this because of my above statement. This
subject has so many points which can be pulled in either direction that at
the end of the day we have to have some concrete solutions.  It is nice to
have a little backup when something goes wrong, at least you can say you met
or exceeded a tested standard/guideline.

Please also see:

http://www.securityfocus.com/infocus/1554

http://www.securityfocus.com/archive/88/312263


Common Criteria:
MinimumPasswordAge = 2
MaximumPasswordAge = 42
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 24

NSA/NIST:
MinimumPasswordAge = 1
MaximumPasswordAge = 90
MinimumPasswordLength = 12
PasswordComplexity = 1
PasswordHistorySize = 24

Dave Kleiman

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: Tuesday, July 20, 2004 11:35
To: 'dave kleiman'; 'Randall M Gunning'; security-basics () securityfocus com
Subject: RE: Minimum password requirements

  Well, I've known users who would change their password and then
immediately change it back, if you let them, but never one who was willing
to change it TEN times to get back to their old password.
I'd think anyone who was that desperate would be dissuaded if the minimum
time between changes was 30 minutes or so -- 10 days still strikes me as
both overkill and *insecure*.

Dave Gillett

-----Original Message-----
From: dave kleiman [mailto:dave () isecureu com]
Sent: Monday, July 19, 2004 7:37 PM
To: gillettdavid () fhda edu; 'Randall M Gunning'; 
security-basics () securityfocus com
Subject: RE: Minimum password requirements

Dave,

Absolutely it is otherwise the user could just change his password 10 
times back to the original one. We generally use 3-5 days but 14 is 
fine.

If your all your systems can support it you should try incorporating 
ALT characters into your policy it least for Admin and Extended access 
users.

______________________________________
Dave Kleiman, CISSP, CISM, CIFI, MCSE
www.SecurityBreachResponse.com

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Monday, July 19, 2004 11:47
To: 'Randall M Gunning'; security-basics () securityfocus com
Subject: RE: Minimum password requirements

b. Passwords cannot be changed for at least 14 days.


  With the last 10 being retained, I don't think this one is 
necessary.  And since it could prevent a leaked/compromised password 
from being changed, I'd say it risks decreasing security rather than 
improving it.

  Also, I don't see anything here which specifies the length or 
content of passwords, which directly determine how vulnerable they are 
to cracking.  Or what about not writing them on a post-it stuck to a 
corner of the screen?

David Gillett

-----Original Message-----
From: Randall M Gunning [mailto:securityfocus () randygunning com]
Sent: Thursday, July 15, 2004 8:27 AM
To: security-basics () securityfocus com
Subject: Minimum password requirements

I am working on implementing some minimum standards for our 
department. I am wondering what the list thinks of these standards:

a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and

must not be

shared with others.
e. User accounts that have not been accessed (i.e. logged in
to) for 30 days
will be deactivated.
f. Inactive user accounts will be deleted after 14 days.

The numbers I have used are what I used in the corporate world for 
systems that had no special security requirements (i.e.

they did not

have any confidential data on them). What are other people

doing for

this type of standard, if anything? Also, if you had your

choice (not

subject to a committee agreeing), what would you choose for these 
items?

Please let me know if you have any questions.

Thanks,

Randy




--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad

and get $545

off any course! All of our class sizes are guaranteed to be 10 
students or less to facilitate one-on-one interaction with

one of our

expert instructors.
Attend a course taught by an expert instructor with years of 
in-the-field pen testing experience in our state of the art hacking 
lab.
Master the skills
of an Ethical Hacker to better assess the security of your 
organization.
Visit us at:

http://www.infosecinstitute.com/courses/ethical_hacking_training.html

--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Minimum password requirements Randall M Gunning (Jul 17)
- Re: Minimum password requirements Jordan Cole (stilist) (Jul 19)
- RE: Minimum password requirements Maurice Post (Jul 19)
- Re: Minimum password requirements Pete Hunt (Jul 19)
- Re: Minimum password requirements _ (Jul 19)
- RE: Minimum password requirements David Gillett (Jul 19)
  - Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 20)
  - RE: Minimum password requirements dave kleiman (Jul 20)
    - RE: Minimum password requirements David Gillett (Jul 20)
    - RE: Minimum password requirements dave kleiman (Jul 20)
- Re: Minimum password requirements steve (Jul 20)
- Re: Minimum password requirements Dan (Jul 20)
- Re: Minimum password requirements Robert Inder (Jul 20)
  - Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 21)
- RE: Minimum password requirements Dave Dyer (Jul 21)
- <Possible follow-ups>
- RE: Minimum password requirements John Vill (Jul 19)
- RE: Minimum password requirements Robinson, Sonja (Jul 19)
  - RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements Roger A. Grimes (Jul 19)
- Re: Minimum password requirements Ed Spencer (Jul 19)

(Thread continues...)