|
Bugtraq
mailing list archives
Re: Windows 2000 password policy bypass possibility
From: Anthony DeRobertis <asd () suespammers org>
Date: Tue, 12 Mar 2002 07:51:46 -0500
On Friday, March 8, 2002, at 06:33 PM, Bradley, Tony wrote:
To combat this you also need to set a minimum password age in
your policy.
If you set the minimum password age to 1 month they will not be able to
reset their password for at least 1 month each time and then
you guarantee
that it will be 18 months until they can re-use the old password again.
Of course, if a user happens to find out or suspect his password
is compromised, then he can't change it, either.
Cycling through 18 passwords take a fair amount of effort. Even
more if you set the minimum to something like ten minutes. But
at least ten minutes probably doesn't get in the way of users
who need to change their password because they lost the slip of
paper they wrote it down on.
Also, remember, the more often you make people change their
passwords, the more likely they are to start writing them down.
And the more valuable the stored password history is likely to
become.
 By Date 
By Thread
Current thread:
|
Intro
