RE: Why doesn't Amazon enforce a password policy?

["Brooks, Shane" <SBrooks () orangelake com>]

Hi James,

Amazon doesn't enforce password policies because, to be cut-and-dry
about it,  that is not their business.  It's not their concern if you
use your birthday or your kid's names as passwords to your account.
They don't have and don't need to have the staff necessary to field
customer complaints because someone was forced to change their password
last week and now can't remember it, or to explain to a customer what
'password complexity' is and why it is important.  Why can they
successfully do business this way?  They clearly point out business
policies under their "Conditions of Use":

<snip>
YOUR ACCOUNT

If you use this site, you are responsible for maintaining the
confidentiality of your account and password and for restricting access
to your computer, and you agree to accept responsibility for all
activities that occur under your account or password.
</snip>


That's my take on it anyway,

SB


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of James Strassburg
Sent: Tuesday, October 24, 2006 1:34 PM
To: webappsec () securityfocus com
Subject: Why doesn't Amazon enforce a password policy?

There is a small war going on where I work.  I am trying to get a
password policy enforced for our web applications and certain business
leaders are opposing it.  There are two areas of opposition:

1. Minimum password length of 6 (currently 4, 6 was going to be a
compromise).
2. Expiration of passwords (currently none).

Strength requirements on the password content seems to be ok with them.

These leaders compare our business with Amazon (a bit of a reach but we
go with it for argument's sake) and their main argument for not
enforcing a minimum password length and password expiration is that
Amazon doesn't do it.

How should I go about convincing them that Amazon.com is wrong and the
fact that they haven't had a severe account breach is no reason not to
implement a policy ourselves?  Or, to play devil's advocate with myself,
if I'm wrong, why doesn't Amazon enforce a password policy?

On a side note, the development work for implementing the policy is
already done.  It was done as part of a separate project and just not
turned on until this argument could be resolved so there will be almost
no development cost associated with implementing the policy.

Thanks for your feedback.

James Strassburg


------------------------------------------------------------------------
-
Sponsored by: Watchfire

Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have 
seen, and outlines a guideline for developing secure web applications. 
Download our The Twelve Most Common Application-level Hack Attacks 
whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008YTi
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan delivers new remediation capabilities, key regulatory compliance
reporting, and productivity enhancements that dramatically improve,
automate and streamline users' ability to quickly find, remediate and
manage web application security vulnerabilities. Change the way you think
about application security testing - download AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------