Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Stanford break in

Re: Stanford break in

From: Adam Shostack <adam_at_homeport.org>
Date: Fri, 23 Apr 2004 14:37:28 -0400

Your intuition is correct. Some of the problems you want to avoid are
the march0fish, april0fish, may0fish cycle, the rapid change back to a
previous password, etc. You also need to deal with the fact that a
great many apps are sending passwords over the wire in the clear. The
best password in the world doesn't beat a sniffer.

Ross Andersons' excellent book "Security Engineering" covers these
questions in detail, and gives you both anecdotal and formal testing
insights.

Adam

On Fri, Apr 23, 2004 at 10:33:10AM -0500, Stewart, John wrote:
|
| Speaking of password choices, and studies regarding them... we're going
| through some audits here (part of the Sarbanes-Oxley act), and one of the
| things we're going to need to get formal about enforcing is a Password
| Policy.
|
| It going to be something like:
|
| 1 - Passwords must be changed every N days.
| 2 - Old passwords must not be re-used for M months.
| 3 - Passwords must meet the following guidelines:
| - Should not be based on well-known or easily accessible personal
| information.
| - Must contain at least X characters.
| - Must contain at least Y uppercase and Z lowercase characters.
| - Must contain at least W special characters (e.g. $, %, @)
| - Must contain at least V characters that are different from those
| found in the password that it is replacing.
| - Must not be dictionary (standard or slang) words, fictional
| character names, or based on the company's name or location.
|
|
| The values for N, M, X, Y, W, V, etc., are yet to be determined.
|
| It has always been my opinion that forcing a new password more often than
| once a year or so is counter-productive. I know how hard it is to get my DBA
| to remember the new root passwords we roll out; forcing frequent changes to
| the general user community I think is begging for a sticky-note problem.
|
| However, the "conventional wisdom" in the security (and auditor) world seems
| to be that frequent password changes should be required. I personally have
| never seen any studies on what makes a good password policy, just people
| making recommendations without any data to back it up. Most of these
| recommendations seem pretty naive to me, but unless I have some hard
| numbers, I'm afraid we're going to end up in a situation soon which will
| cause the sticky-note proliferation.
|
| I'm curious how others have handled this.
|
| thanks
|
| johnS
| _______________________________________________
| firewall-wizards mailing list
| firewall-wizards_at_honor.icsalabs.com
| http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 23 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos