Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Windows 2000 password policy bypass possibility
From: Anthony DeRobertis <asd () suespammers org>
Date: Tue, 12 Mar 2002 07:51:46 -0500

On Friday, March 8, 2002, at 06:33 PM, Bradley, Tony wrote:

To combat this you also need to set a minimum password age in your policy.
If you set the minimum password age to 1 month they will not be able to
reset their password for at least 1 month each time and then you guarantee
that it will be 18 months until they can re-use the old password again.

Of course, if a user happens to find out or suspect his password is compromised, then he can't change it, either.

Cycling through 18 passwords take a fair amount of effort. Even more if you set the minimum to something like ten minutes. But at least ten minutes probably doesn't get in the way of users who need to change their password because they lost the slip of paper they wrote it down on.

Also, remember, the more often you make people change their passwords, the more likely they are to start writing them down. And the more valuable the stored password history is likely to become.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]