Jessica, Flip-flopping refers to the practice of someone changing their password cyclically between a couple of known passwords, for example:
Month 1: Password is changed to Jessica Month 2: Password is changed to Jenny Month 3: Password is changed to Jessica Month 4: Password is changed to Jenny etc. To prevent this practice, if for example you have a Windows NT/2000/XP system set the security policy to: "remember last 12 passwords" and now the user would have to cycle through twelve passwords before re-use was allowed. In conjunction with this you will want to set the security policy parameter that defines the frequency of password change to: "allow password changes every 3 days" this would now allow the user to change their password only once in three days. So if we combine the two parameters together we are now setting the system to allow the user to cycle through twelve pre-set passwords but each change 3 days apart. Total cycle would now take 36 days. So we now set a third parameter in the security policy to: "force password change every 30 days". This means that before the user gets to the 36 day mark, that they must change their password to a new value. But because of the "remember last 12 passwords" parameter it won't allow it to be one of these. In effect we have set up a rule combination that forces the user to pick a new password every time they change it. Hope this makes sense, and helps. Best regards, Stan Dormer Director Education & Training MindGrove of Ink-e Media Cheshire UK Tel: +44 1925 732 757 Fax: +44 1925 732 756 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jessica Khoo Sent: 14 February 2003 02:22 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Hi IT auditors, Can someone shed some lights for me what is the meaning of flip-flopping prohibited in passwords management? Thanks alot and look forward to responses. Regards Jessica Singapore -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 14, 2003 9:23 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: To all, Hi Jim and all, can anybody help me in any recommendation of a risk based auditing report writing or internal audit reports. I would like to have some references in the structural of the reports. I hope this will help us to have a clearer picture of the subject. By the way I will contribute more audit program to auditnet inventory. Bryan Ong CONFIDENTIALITY AND DISCLAIMER CAUTION (1) This message (including any attachment(s) hereto) contains confidential and privileged information intended only for the addressee(s) named above. (2) If you are not the said addressee(s), nor the employee(s) or agent(s) responsible for delivering this message to the said addressee(s), you are strictly prohibited from copying, disclosing, dissemination, printing, re-transmitting, using or viewing this message (including any attachment(s) hereto). (3) Anyone who receives this message in error is requested to immediately delete all copies of this message (including any attachment(s) hereto) and notify the sender. (4) PPB Group Berhad ("PPB") does not and cannot guarantee that this message (including any attachment(s) hereto) is virus free or compatible with your computer system. The said addressee(s) should carry out his/her/its own virus checks before opening any attachment(s). (5) PPB does not accept any liability whatsoever in respect of any viruses or computer problems experienced or any errors or omissions in the contents of this message (including any attachment(s) hereto) which arise as a result of this form of communication. * To unsubscribe from this list send an email to [EMAIL PROTECTED] and include the message unsubscribe auditprograms-l and your name. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* To unsubscribe from this list send an email to [EMAIL PROTECTED] and include the message unsubscribe auditprograms-l and your name. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* To unsubscribe from this list send an email to [EMAIL PROTECTED] and include the message unsubscribe auditprograms-l and your name.
