Home page logo
/

basics logo Security Basics mailing list archives

RE: passwords
From: "Tim Heagarty" <tim () heagarty com>
Date: Thu, 20 Feb 2003 17:37:55 -0700

One tangential comment to the previous post.
We would also put a minimum time to the NEXT password change on our users.
If you don't have this then the crafty little buggers will change their
password ten times in a row to push their desired password off the stack and
get "back around" to their preferred password.

As far as biometrics and multi-factor authentication.
Many civil libertarians are concerned about using "something you ARE" as a
factor in identification. We have seen a proliferation of identity theft the
last few years and this will only get worse as we can all imagine. Of course
that's why we're employed is it not? If someone's Social Security number is
stolen in the U.S. and used in such a way as to all but destroy a person's
identity a new number can be generated and a new identification and life
created. Not easy, but possible. We all hear about the "Witness Protection
Program" and creating a new identity for protective purposes and other good
reasons to assume a new identity.

But, how will we create a new identity when we start identifying people by
unchangeable characteristics? Do you want one or more government entities
storing, and potentially controlling or worse, not controlling, information
about your physical person that is nearly impossible to change? It is easy
enough to sit around with a bit of alcohol assistance and come up with a
dozen good scenarios involving nasty governments tracking citizens to put
the fear of such technology into the general population.

I like the idea of being biometrically identified to a personal device such
as a smart card that would contain your PKI certificates, medical
information etc. But not storing physically identifying characteristics in
some grand uncontrollable database.

Call me paranoid, but that's how I got where I am today!

Tim Heagarty MCSE, MCP+I
"There are only 10 kinds of people in the world, those that understand
binary, and those that don't."
Work: (928) 636-0489
Cell: (928) 533-9690

-----Original Message-----
From: Trevor Cushen [mailto:Trevor.Cushen () sysnet ie]
Sent: Thursday, February 20, 2003 2:11 AM
To: security-basics () securityfocus com
Subject: RE: passwords



I had not added anything to this discussion because as you have said it
can be talked to death.  But yesterday I saw an article about passwords
and thought I would pass it on because it really is a daring stand the
author has taken.  But I saw the article in hard copy and when I went to
search for it I found several articles under the same heading

"PASSWORDS ARE PASSE"

All these articles talk about biometrics and pki etc, but essentially
various forms of phasing out the user entered password.  I would be
interested in what this forums general concensis is on that line of
thinking.

This is not my line of thinking nor do I have a project in the working
to provide more details on a possible implementation or environment,
number of users, costings etc.  It is the concept that I am interested
in getting feedback on just out of curiosity.

Many thanks

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
Sent: 19 February 2003 14:28
To: 'ullmic6'; 'security-basics () securityfocus com'
Subject: RE: passwords


That's it???   Arguments can be made for changing passwords from between
30
and 90 days.  Each argument has valid points which I will not elaborate
on again since it's been beaten to death.  30 to 90 is fine but you need
to make sure there is complexity involved.  The harder the complexity
the more valid the argument for 90 days so users won't be tempted to
write it down. I wouldn't exceed more than 90 ever but I prefer 30.  A
combination of Capital and lowercase letters, Numbers and Symbols.
Require 3 out of the 4 minimum.  Make a minimum length of 7.  If you are
using LANMan make it  7 not 8 since 7 is harder to crack for LANMan
other reasons that I also won't go into.  You should have a password
history as well.  I prefer 12 so that people can slightly change the
password to be Passw0rd1, Passw0rd2, .... Run enforcement onthese
policies and run password checkers to verify.

IMHO, 30 days is best.  I've had 30 days with these rules and users are
fine.  At first people tend to kick and scream but if you reduce the
times in increments of say 15 days every 3 months people don't notice
the difference.

Good Password - N0t*N0w, Abs0lutely%,
Bad Password - tuxedo, names, birthdates, License plates, names, pets,
anything in a dictionary (incl foreign languages, klingon, etc.),
anything identifiable or guessable about a person, phone #'s, etc.

-----Original Message-----
From: ullmic6 [mailto:ullmic6 () web de]
Sent: Monday, February 17, 2003 2:02 PM
To: security-basics () securityfocus com
Subject: passwords


Hello all,

one of the favorite subjects in my company seems to be the
strength of passwords. We force our users to change their
mail password every 90 days. Does this make sense? Why?

--
ullmic





**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is
intended only for the individual(s) named herein or others specifically
authorized to receive the communication. If you are not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this communication is strictly prohibited. If you have
received this communication in error, please notify the sender of the
error immediately, do not read or use the communication in any manner,
destroy all copies, and delete it from your system if the communication
was sent via email.




**********************************************************************



****************************************************************************
**********

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

****************************************************************************
**********




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]