Re: FW: Secure Password Policy?

[Rurouni Alucard Kawarami Himura <rakh () dangerclan net>]

On Thursday 19 January 2006 18:06, Mike Harlan wrote:
> I believe that the 6-8 rule is in place because it would take an extremely
> long time (or lucky guess) to crack the password at this length. 
> Especially when used with the other recommended practices (uppercase,
> lowercase, special characters, numbers).  Also, remember that we have to
> put forth as much effort to protect our info as we think that it is worth
> to us or our customers.

"... an extremely long time..." , what long can that be for example?  1 week, 
month? 


> -----Original Message-----
> From: Sulaiman, Wilmar [mailto:wsulaiman () siddharta co id]
> Sent: Thursday, January 19, 2006 5:12 AM
> To: pen-test () securityfocus com
> Subject: Secure Password Policy?
>
> Dear all,
>
> I noticed that "best practice" for Minimum password length policy is either
> 6 or 8 characters. I guess SANS institute considered a weak password if it
> is less than 8 characters.
>
> I would like to know where they derived the number (6 and 8 characters).
> Is there any documentation to backup it up why the best practice for
> minimum password length is set to 6?
>
> Wilmar Sulaiman
> Risk Advisory Services
> KPMG Siddharta Siddharta & Widjaja
> 32nd Floor, GKBI Building
> 28, Jl. Jend. Sudirman
> Jakarta 10210, Indonesia
> J : +62 (0) 21 574 2333
> Fax : +62 (0) 21 574 1777
>
> **********************************************************************
> The information in this e-mail is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this e-mail
> by anyone else is unauthorized. If you have received this communication in
> error, please address with the subject heading "Received in error," send to
> postmaster () siddharta co id, then delete the e-mail and destroy any copies
> of it. If you are not the intended recipient, any disclosure, copying,
> distribution or any action taken in reliance on it, is prohibited and may
> be unlawful. Any opinions or advice contained in this e-mail are subject to
> the terms and conditions expressed in the governing Siddharta Siddharta &
> Widjaja/PT Siddharta Consulting client engagement letter. Opinions,
> conclusions and other information in this e-mail and any attachments that
> do not relate to the official business of the firm are neither given nor
> endorsed by it.
>
> Siddharta Siddharta & Widjaja/PT Siddharta Consulting cannot guarantee that
> e-mail communications are secure or error-free, as information could be
> intercepted, corrupted, amended, lost, destroyed, arrive late or
> incomplete, or contain viruses.
>
> Siddharta Siddharta & Widjaja - Registered Public Accountants, registered
> in Indonesia, is a member firm of KPMG International. PT Siddharta
> Consulting, a limited liability company registered in Indonesia, is a
> member firm of KPMG International. KPMG International is a Swiss
> cooperative of which all KPMG firms are members. KPMG International
> provides no professional services to clients. Each member firm is a
> separate and independent legal entity and each describes itself as such.
>
> This footnote also confirms that this e-mail message has been swept by
> MIMEsweeper for the presence of computer viruses. See www.mimesweeper.com
> for more information.
> **********************************************************************
>
>
> ---------------------------------------------------------------------------
> - --
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are futile against web application hacking. Check your website for
> vulnerabilities to SQL injection, Cross site scripting and other web
> attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ---------------------------------------------------------------------------
> - ---
>
>
>
>
>
> ---------------------------------------------------------------------------
> --- Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are futile against web application hacking. Check your website for
> vulnerabilities to SQL injection, Cross site scripting and other web
> attacks before hackers do! Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ---------------------------------------------------------------------------
> ----

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------