Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Website password policies

From: "Matt Lyon" <themattlyon () hotmail com>
Date: Tue, 10 Feb 2004 20:57:31 -0800





Hello,
I'm been tasked with writing our website password policy and am wondering if there are best practices for this. I'm torn between the security aspect versus the customer overhead and dissasatifaction of the typical website user if the password rules are too complex. 

Any help would be much appreciated.

Thank you.
Bob
Well, it depends on how secure you need the site. If nothing matters then basic passwords will work. When I offer services such as email I let people know of the risks they take and leave it at that. Odds are that even if it is a "strong" password they are using it in more than one place and may even be sending the passord unencrypted. 

To secure myself I do 3 things....
1) Explicitly disallow users from specific services to prevent the password from being used on another service I am running. 2) On services users are allowed on I explicitly allow them to add another ring of security. 3) Make sure your logs are being monitored and then be able to block any ip's that intrusions attemtps come from. The point being that if a password craker starts running a dictionary against the password it is detected and then stoped. My thinking is that if they can keep on guessing then it really deosn't matter how strong the password is.
I realize that this may not be the best but it works for me when dealing with poor passwords.
Lastly, the easiest way to get in is with poor CGI that allows code injection. Stop that and you have just gone a long ways. 

Matt

_________________________________________________________________
Check out the great features of the new MSN 9 Dial-up, with the MSN Dial-up Accelerator. http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/ 


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: