Security Basics: Re: password policy with regard to application userid

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Basics mailing list archives

Re: password policy with regard to application userid

From: "Ali, Saqib" <docbook.xml () gmail com>
Date: Thu, 31 May 2007 10:13:16 -0700

It depends on the application, and the level of privileges that the
account has and also the auditing of the account usage.

If you regularly auditing the account, and it only has a user level
privileges, then once a year password change should suffice.

One other thing to check is how the application the using the account.
As long as the application is kerberos enabled, and is NOT
transmitting the username/password on the network, then you don't need
to worry about somebody sniffing out the password.

For e.g. ADSI calls from IIS do not transmit the username/password
over the network, so using a account with more privileges to run a web
application is not an serious risk.


saqib
http://www.full-disk-encryption.net

On 31 May 2007 07:30:01 -0000, u.bodalina () gmail com
<u.bodalina () gmail com> wrote:

What would be a reasonable password policy with regard to userids used in applications?

For example Business Objects needs a system level userid to intergrate with active directory. What would the security 
implications be if this userid's password wasn't changed?

Standard users follow a policy in which they have to  change their password every two months.

Thanks



--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

By Date By Thread

Current thread:

password policy with regard to application userid u . bodalina (May 31)
- Re: password policy with regard to application userid Ali, Saqib (May 31)
- <Possible follow-ups>
- Re: password policy with regard to application userid krymson (May 31)