Speaking of password choices, and studies regarding them... we're going
through some audits here (part of the Sarbanes-Oxley act), and one of the
things we're going to need to get formal about enforcing is a Password
Policy.
It going to be something like:
1 - Passwords must be changed every N days.
2 - Old passwords must not be re-used for M months.
3 - Passwords must meet the following guidelines:
- Should not be based on well-known or easily accessible personal
information.
- Must contain at least X characters.
- Must contain at least Y uppercase and Z lowercase characters.
- Must contain at least W special characters (e.g. $, %, @)
- Must contain at least V characters that are different from those
found in the password that it is replacing.
- Must not be dictionary (standard or slang) words, fictional
character names, or based on the company's name or location.
The values for N, M, X, Y, W, V, etc., are yet to be determined.
It has always been my opinion that forcing a new password more often than
once a year or so is counter-productive. I know how hard it is to get my DBA
to remember the new root passwords we roll out; forcing frequent changes to
the general user community I think is begging for a sticky-note problem.
However, the "conventional wisdom" in the security (and auditor) world seems
to be that frequent password changes should be required. I personally have
never seen any studies on what makes a good password policy, just people
making recommendations without any data to back it up. Most of these
recommendations seem pretty naive to me, but unless I have some hard
numbers, I'm afraid we're going to end up in a situation soon which will
cause the sticky-note proliferation.
I'm curious how others have handled this.
thanks
johnS
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 23 2004
Intro
