Re: Minimum password requirements

[dmargoli () stwing org]

Steve wrote:

> We can discuss/argue all day long, but if you don't age passwords then you
> will fail almost any IT portion of an audit from an independent auditing
> organization.

Fair enough, but that doesn't really explain *why* it makes sense (or 
even if it does). If your business requires certification by an auditor 
who requires that measure, fine. Perfectly understandable. But that 
doesn't mean there's a good reason for such a practice (and I contend 
that there is not).

> Real world example, a few departed employees had not been disabled in our
> domain, their accounts were automatically disabled.  The auditors had no
> issues with that.

I never argued against disabling inactive accounts. I think that's a 
very good idea and support it completely. I argued against password ageing.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------