Firewall Wizards mailing list archives
Re: Stanford break in
From: Adam Shostack <adam () homeport org>
Date: Fri, 23 Apr 2004 14:37:28 -0400
Your intuition is correct. Some of the problems you want to avoid are the march0fish, april0fish, may0fish cycle, the rapid change back to a previous password, etc. You also need to deal with the fact that a great many apps are sending passwords over the wire in the clear. The best password in the world doesn't beat a sniffer. Ross Andersons' excellent book "Security Engineering" covers these questions in detail, and gives you both anecdotal and formal testing insights. Adam On Fri, Apr 23, 2004 at 10:33:10AM -0500, Stewart, John wrote: | | Speaking of password choices, and studies regarding them... we're going | through some audits here (part of the Sarbanes-Oxley act), and one of the | things we're going to need to get formal about enforcing is a Password | Policy. | | It going to be something like: | | 1 - Passwords must be changed every N days. | 2 - Old passwords must not be re-used for M months. | 3 - Passwords must meet the following guidelines: | - Should not be based on well-known or easily accessible personal | information. | - Must contain at least X characters. | - Must contain at least Y uppercase and Z lowercase characters. | - Must contain at least W special characters (e.g. $, %, @) | - Must contain at least V characters that are different from those | found in the password that it is replacing. | - Must not be dictionary (standard or slang) words, fictional | character names, or based on the company's name or location. | | | The values for N, M, X, Y, W, V, etc., are yet to be determined. | | It has always been my opinion that forcing a new password more often than | once a year or so is counter-productive. I know how hard it is to get my DBA | to remember the new root passwords we roll out; forcing frequent changes to | the general user community I think is begging for a sticky-note problem. | | However, the "conventional wisdom" in the security (and auditor) world seems | to be that frequent password changes should be required. I personally have | never seen any studies on what makes a good password policy, just people | making recommendations without any data to back it up. Most of these | recommendations seem pretty naive to me, but unless I have some hard | numbers, I'm afraid we're going to end up in a situation soon which will | cause the sticky-note proliferation. | | I'm curious how others have handled this. | | thanks | | johnS | _______________________________________________ | firewall-wizards mailing list | firewall-wizards () honor icsalabs com | http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Passwords (was: Stanford break in), (continued)
- Passwords (was: Stanford break in) Ben Nagy (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Richard . Bertolett (Apr 22)
- RE: Stanford break in Ames, Neil (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Stewart, John (Apr 23)
- Re: Stanford break in Adam Shostack (Apr 23)
- Re: Stanford break in Bennett Todd (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 23)
- Re: Stanford break in m (Apr 28)
- RE: Stanford break in Bill Royds (Apr 23)