Firewall Wizards mailing list archives

Re: Stanford break in

From: Adam Shostack <adam () homeport org>
Date: Fri, 23 Apr 2004 14:37:28 -0400

Your intuition is correct.  Some of the problems you want to avoid are
the march0fish, april0fish, may0fish cycle, the rapid change back to a
previous password, etc.  You also need to deal with the fact that a
great many apps are sending passwords over the wire in the clear.  The
best password in the world doesn't beat a sniffer.

Ross Andersons' excellent book "Security Engineering" covers these
questions in detail, and gives you both anecdotal and formal testing
insights.

Adam



On Fri, Apr 23, 2004 at 10:33:10AM -0500, Stewart, John wrote:
| 
| Speaking of password choices, and studies regarding them... we're going
| through some audits here (part of the Sarbanes-Oxley act), and one of the
| things we're going to need to get formal about enforcing is a Password
| Policy.
| 
| It going to be something like:
| 
| 1 - Passwords must be changed every N days.
| 2 - Old passwords must not be re-used for M months.
| 3 - Passwords must meet the following guidelines:
|       - Should not be based on well-known or easily accessible personal
| information.
|       - Must contain at least X characters.
|       - Must contain at least Y uppercase and Z lowercase characters.
|       - Must contain at least W special characters (e.g. $, %, @)
|       - Must contain at least V characters that are different from those
| found in the password that it is replacing.
|       - Must not be dictionary (standard or slang) words, fictional
| character names, or based on the company's name or location.
| 
| 
| The values for N, M, X, Y, W, V, etc., are yet to be determined.
| 
| It has always been my opinion that forcing a new password more often than
| once a year or so is counter-productive. I know how hard it is to get my DBA
| to remember the new root passwords we roll out; forcing frequent changes to
| the general user community I think is begging for a sticky-note problem.
| 
| However, the "conventional wisdom" in the security (and auditor) world seems
| to be that frequent password changes should be required. I personally have
| never seen any studies on what makes a good password policy, just people
| making recommendations without any data to back it up. Most of these
| recommendations seem pretty naive to me, but unless I have some hard
| numbers, I'm afraid we're going to end up in a situation soon which will
| cause the sticky-note proliferation.
| 
| I'm curious how others have handled this.
| 
| thanks
| 
| johnS
| _______________________________________________
| firewall-wizards mailing list
| firewall-wizards () honor icsalabs com
| http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Passwords (was: Stanford break in), (continued)
- - - Passwords (was: Stanford break in) Ben Nagy (Apr 23)
  - Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Richard . Bertolett (Apr 22)
- RE: Stanford break in Ames, Neil (Apr 22)
  - RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
  - RE: Stanford break in Paul D. Robertson (Apr 23)
    - RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Stewart, John (Apr 23)
  - Re: Stanford break in Adam Shostack (Apr 23)
  - Re: Stanford break in Bennett Todd (Apr 23)
    - Re: Stanford break in Paul D. Robertson (Apr 23)
    - Re: Stanford break in m (Apr 28)
  - RE: Stanford break in Bill Royds (Apr 23)