Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Yahoo security give blogger the thumbs up

From: "J.A. Terranson" <measl () mfn org>
Date: Sun, 12 Mar 2006 18:43:18 -0600 (CST)

On Sun, 12 Mar 2006, SO SECURITY RESEARCH INSTITUTE wrote:


ADP
were unavailable for comment at time of this message being submitted to
Full-Disclosure mailing list. http://tinyurl.com/plqt3


This URL describes ADPs not unreasonable password policy (8-14 characters,
must contain special chars, no incrementing or decrementing chars, and no
repeats).  Sure, it's annoying, but it's also good practice.  At least
they haven't gone over the edge, like, oh, a large tier-1 NSP with a 6
letter name that has all the above requirements, AND:

        Password shall change EVERY 90 DAYS!;
        password shall not ever repeat;
        password shall not be derived from any dictionary word
          (!!! - this alone makes the system unusable - !!!)
          no passwords like   "#V3rify||M3||n0w#"   because
          there are three English derived words.  Ever try and
          actually USE such a gawd awful system?.

        The KICKER though was this: the above reuqirements are for several
discrete systems (domain login, RADIUS login, VPN login, etc), and NONE of
these systems shared credentials - so you had to change them ALL every
three months, AND keep them straight!

As an industry, we need to come to terms with the concept that a bad
password kept secret is better than a great password written down on every
available surface because it changes every 3 months and has irrational
requirements.

ADP seems to have found a good middle ground policy.  Revealing that
policy hurts nobody in any way - ADP/Yahoo security is not compromised by
this disclosure - so what's the point?

-- 
Yours,

J.A. Terranson
sysadmin () mfn org
0xBD4A95BF


'The right of self defence is the first law of nature: in most governments
it has been the study of rulers to confine this right within the narrowest
limits possible. Wherever standing armies are kept up, and the right of
the people to keep and bear arms is, under any colour or pretext
whatsoever, prohibited, liberty, if not already annihilated, is on the
brink of destruction.'

St. George Tucker

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: