WebApp Sec mailing list archives
Re: Why doesn't Amazon enforce a password policy?
From: Tom Whiting <wolf () wolfstream net>
Date: Fri, 27 Oct 2006 07:32:01 -0500
Any time I run into organizations like this which require users to change their passwords every XXX amount of days, I leave. It doesn't matter HOW long I've been a customer of theirs, I simply leave. Why? Firstly, this is an insecure method of doing things. Users choose their own passwords, for a reason. They shouldn't be required to change their passwords every 30, 60, 90, whatever days. If they do, there's more of a chance that it will get written down, which means that there's more of a chance that someone will "stumble across it", meaning that it's less secure than relying on the brain. Put all the "password recovery" systems in there you want, this is still going to get written down, and it's less secure Secondly, this is an insult to your users. It takes something that is THEIR responsibility and makes it YOURS. It's like saying "I'm sorry, but YOUR passwords are too weak, OURS are better, you MUST abide by our password rules". No, as a customer, I must NOT. The internet is a large place, and there are PLENTY of individuals out there who aren't as anal as this about security. My money would simply go there. Thirdly, this isn't about "security", this is about forcing users to use YOUR policies, which are outdated and entirely too strict. Unless you are processing government sensitive data, there is no reason you should ever force your users to change their passwords, ever. Take a look at the leaders in this industry. Paypal, ebay, amazon, tigerdirect, newegg. Do they require users to change their password every XXX days? No, they do not. Why? Because they respect their customers, and allow THEM to choose to change their passwords. Do away with requiring a non alpha-numeric symbol if you have that, as well, because that's not "good password enforcement', it's the same as above. Personally, I have set of 5-10 passwords that I have used for years. None of these compare to today's supposed "standards", yet they're all strong enough to be secure in their own right. I find it an insult when a site like this forces me to change something that I PERSONALLY know is secure enough, and have been for years. Now, if you have proof that your customer's account is "hacked", or has been used without their permission, yes, by all means, force a password change. This should be the ONLY time, however, that this is done, not on a "whim", certainly not set forth by some security policy that will do nothing but annoy users. In the end, why do these companies NOT force their customers to change their password every XXX days? They realize that there are plenty of other ways to enforce security, and this one, minor way will cause more grief than it's worth.
There is a small war going on where I work. I am trying to get a password policy enforced for our web applications and certain business leaders are opposing it. There are two areas of opposition: 1. Minimum password length of 6 (currently 4, 6 was going to be a compromise). 2. Expiration of passwords (currently none). Strength requirements on the password content seems to be ok with them. These leaders compare our business with Amazon (a bit of a reach but we go with it for argument's sake) and their main argument for not enforcing a minimum password length and password expiration is that Amazon doesn't do it. How should I go about convincing them that Amazon.com is wrong and the fact that they haven't had a severe account breach is no reason not to implement a policy ourselves? Or, to play devil's advocate with myself, if I'm wrong, why doesn't Amazon enforce a password policy? On a side note, the development work for implementing the policy is already done. It was done as part of a separate project and just not turned on until this argument could be resolved so there will be almost no development cost associated with implementing the policy. Thanks for your feedback. James Strassburg -------------------------------------------------------------------- ----- Sponsored by: Watchfire Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download our The Twelve Most Common Application-level Hack Attacks whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Y Ti ----------------------------------------------------------------- ---------
------------------------------------------------------------------------- Sponsored by: Watchfire AppScan delivers new remediation capabilities, key regulatory compliance reporting, and productivity enhancements that dramatically improve, automate and streamline users' ability to quickly find, remediate and manage web application security vulnerabilities. Change the way you think about application security testing - download AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE --------------------------------------------------------------------------
Current thread:
- Why doesn't Amazon enforce a password policy? James Strassburg (Oct 27)
- Re: Why doesn't Amazon enforce a password policy? Peter Conrad (Oct 30)
- Re: Why doesn't Amazon enforce a password policy? Tom Whiting (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jamie Riden (Nov 01)
- <Possible follow-ups>
- RE: Why doesn't Amazon enforce a password policy? James Strassburg (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Brooks, Shane (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Jason Gregson (Nov 01)