Security Basics mailing list archives
Re: Minimum password requirements
From: Pete Hunt <lists () ninjafriendly com>
Date: Sat, 17 Jul 2004 21:21:47 +0100
Randall M Gunning wrote:
I am working on implementing some minimum standards for our department. I am wondering what the list thinks of these standards: a. Passwords must be changed at least every 90 days. b. Passwords cannot be changed for at least 14 days. c. Previous passwords cannot be reused (at least the last 10). d. User ids and passwords are "owned" by an individual and must not beshared with others
d-1. or written down on post-its attached to <insert obvious place>
e. User accounts that have not been accessed (i.e. logged in to) for 30 dayswill be deactivated.
I deactivate accounts if users are going on hols / business trips, then reactivate on return. Is this for a .edu or similar? Just wondering about the 30-day non-use.
f. Inactive user accounts will be deleted after 14 days.
If the user has officially left the organisation, accounts should be deactivated the day they leave, archive home dirs and email and then delete accounts.
g. enforce basic password complexity - (10 character minimum - numbers, letters and non-alphanumeric) h. the same passwords shouldn't be used for different systems without some other form of authentication. (accounting dept shouldn't use standard logon p/w for payroll database etc). i. Make users sign usage policy, make sure they understand it and ensure breaches of policy have (at least some) consequences.
Pete ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Minimum password requirements Randall M Gunning (Jul 17)
- Re: Minimum password requirements Jordan Cole (stilist) (Jul 19)
- RE: Minimum password requirements Maurice Post (Jul 19)
- Re: Minimum password requirements Pete Hunt (Jul 19)
- Re: Minimum password requirements _ (Jul 19)
- RE: Minimum password requirements David Gillett (Jul 19)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 20)
- RE: Minimum password requirements dave kleiman (Jul 20)
- RE: Minimum password requirements David Gillett (Jul 20)
- RE: Minimum password requirements dave kleiman (Jul 20)
- Re: Minimum password requirements steve (Jul 20)
- Re: Minimum password requirements Dan (Jul 20)
- Re: Minimum password requirements Robert Inder (Jul 20)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 21)