Home page logo
/

basics logo Security Basics mailing list archives

RE: passwords
From: Vince Dang <VinceDang () HondaFCU org>
Date: Wed, 19 Feb 2003 10:14:16 -0800

Ullmic,

The answer depends on what other things you have in place.  You want to
reach a comfortable point between security and inconvenience.  90 days would
be reasonable if you enforce complex passwords with at least 8 characters
minimum.  (Both NT 4 & W2k have that feature.)  You would also set the
policy to not allow usage of the last 10 passwords.  

On the people side, you need to educate users and conduct regular audits to
make sure they don't write them on sticky notes near their stations.
Overall, it comes down to how much risk is acceptable for your company.  If
you look at security as risk management, it will help you address the
problem better.

Regards,

Vince

-----Original Message-----
From: ullmic6 [mailto:ullmic6 () web de]
Sent: Monday, February 17, 2003 11:02 AM
To: security-basics () securityfocus com
Subject: passwords


Hello all,

one of the favorite subjects in my company seems to be the strength of
passwords. We force our users to change their mail password every 90 days.
Does this make sense? Why?

--
ullmic



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]