Security Basics mailing list archives
Re: password policy with regard to application userid
From: "Ali, Saqib" <docbook.xml () gmail com>
Date: Thu, 31 May 2007 10:13:16 -0700
It depends on the application, and the level of privileges that the account has and also the auditing of the account usage. If you regularly auditing the account, and it only has a user level privileges, then once a year password change should suffice. One other thing to check is how the application the using the account. As long as the application is kerberos enabled, and is NOT transmitting the username/password on the network, then you don't need to worry about somebody sniffing out the password. For e.g. ADSI calls from IIS do not transmit the username/password over the network, so using a account with more privileges to run a web application is not an serious risk. saqib http://www.full-disk-encryption.net On 31 May 2007 07:30:01 -0000, u.bodalina () gmail com <u.bodalina () gmail com> wrote:
What would be a reasonable password policy with regard to userids used in applications? For example Business Objects needs a system level userid to intergrate with active directory. What would the security implications be if this userid's password wasn't changed? Standard users follow a policy in which they have to change their password every two months. Thanks
-- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net
Current thread:
- password policy with regard to application userid u . bodalina (May 31)
- Re: password policy with regard to application userid Ali, Saqib (May 31)
- <Possible follow-ups>
- Re: password policy with regard to application userid krymson (May 31)