You can lead a horse to water but you can't make him drink!
Connie
-----Original Message-----
From: David Leach [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 07, 2000 2:57 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: WinNT Passwords Policy
Wouldn't it be just as easy (and less expensive) to teach your users how to
create memorable secure passwords?
like my favorite TV show is: Th3\/F1L3$ (read thexfiles)
or my favorite song is: \/g1RlfR13nd (read xgirlfriend)
or my favorite movie is: ph@nt0mm3n@ce (read phantommenace)
these are easy enough to remember by difficult to break and still adhere to
your security policies
David Leach MCSE+I
Systems Security Engineer
Electronic Warfare Associates,
Information and Infrastructure Technologies, Inc.
>>> Igor Gashinsky <[EMAIL PROTECTED]> 04/07/00 01:30PM >>>
If you are really paranoid about the password policy (read:
cautious), and
worry that your users won't be able to remember the passwords, perhaps
hand-held tonekns like SecureID are the answer. All they users have to
remember is the 4 digit PIN, and where they left the token ;)
Hope this helps,
-Igor Gashinsky, GCIA
At 12:39 PM 4/7/00 -0400, Andrew Bastien wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>
>This is overkill. While it certainly sounds as if this would require
secure passwords, a situation has been created where passwords will be so
difficult for users to remember that they'll be writing them down, or
they'll just use a sequence to get past password changes (i.e. password1,
password2, etc.). Then all security goes out the window.
>An eight character minimum is a good policy, simply because of the way
authentication works in NT. A mix of upper and lower case is a good idea,
because it makes brute force attacks much more difficult than they would be
against only lower case passwords (52^8 vs. 26^8). Brute force attacks
shouldn't work anyway because you should be locking accounts after a few
bad login attempts, but this still doesn't hurt.
>Once you get beyond this point, I think you need to choose priorities. If
you want to require users to memorize stronger passwords, with digits and
punctuation, it's not necessarily a good idea to also enforce frequent
password changes. If you want frequent changes, you might have to live
with passwords that will be somewhat less secure but easier for users to
remember.
>
>btw, you might also want to find out about passfilt.dll:
>http://support.microsoft.com/support/kb/articles/q161/9/90.asp?LNG=ENG&SA=T
ECH&FR=1
>
>
>- -----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: April 07, 2000 12:16
>To: Mailing Lists
>Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Re: WinNT Passwords Policy
>
>
>
>
>
>
>Here you go.
>
>1) Minumum of 10 characters (NT supports up to 14)
>2) Must contain at least one Capitalized letter, one lower case letter
and one
>digit
> (and if you want, one of ":;().,<>!@#$%^&*-_=+"
>3) Must not be similar to previous password
>4) Can not be any of the last 15 passwords
>5) Can not resemble the user ID
>6) Every user gets their own unique ID
>7) No shared ID's
>
>That's about it.
>
>
>
>-
----------------------------------------------------------------------------
----
>Jerry T. Kendall, CISSP Celestica International Inc.
>Manager, Worldwide Information Security 12 Concorde Place, 7th Floor
>Corporate Information Security Toronto, Ontario, M3C 3R8,
CANADA
>http://www.celestica.com Tel: +1.416.386.7739
>[EMAIL PROTECTED] Fax: +1.416.386.7707
>-
----------------------------------------------------------------------------
----
>
>
>
>
>
>
>
>
>
>
>
>
>Mailing Lists <[EMAIL PROTECTED]> on 04/07/2000 12:06:55 PM
>
>
>
>
>
>
>
>
> To: [EMAIL PROTECTED],
> [EMAIL PROTECTED]
>
> cc: (bcc: Jerry Kendall/Inc/Celestica)
>
>
>
> Subject: WinNT Passwords Policy
>
>
>
>
>
>
>
>
>Hi all,
>
>I'd like to have your opinion and personal experience regarding what policy
>to implement when dealing with passwords on a pure Windows Network (Windows
>98, Windows NT 4 workstation and servers, Windows NT 2000 professional and
>server). The NT domain is based on a NT Server 4 SP5, and the users get
>mail from MS Exchange 5.5 SP3.
>
>At my old job, whe had a mix environment of WinNT, Linux and Suns, so the
>policy was to have a password of at least 8 characters long, containing
>upper and lower case letters, numbers and one of those:
>:;().,<>!@#$%^&*-_=+
>
>I just want your opinion as to know if in a pure NT environment, I need to
>have something that strict, or I can loosen it up a little and keep the
>same strenght.
>
>What is your opinion and what do you use/recommend in that matter?
>
>Thanks!
>
> -+-
>Mario Biron, CCA, System Administrator
>DNRC Title: Official and Proud Sponsor of the Y2K Problem
>
>- -
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
>
>iQA/AwUBOO4QcD1j58pgs53KEQJ+OgCfTeXSwXPRnG8NStC1b8T2Oj/AK+gAn0HS
>H53shIGtPiuKXBATV6YczM6c
>=TkP0
>-----END PGP SIGNATURE-----
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
