On Sun, 12 Mar 2006, SO SECURITY RESEARCH INSTITUTE wrote: > ADP > were unavailable for comment at time of this message being submitted to > Full-Disclosure mailing list. http://tinyurl.com/plqt3
This URL describes ADPs not unreasonable password policy (8-14 characters, must contain special chars, no incrementing or decrementing chars, and no repeats). Sure, it's annoying, but it's also good practice. At least they haven't gone over the edge, like, oh, a large tier-1 NSP with a 6 letter name that has all the above requirements, AND: Password shall change EVERY 90 DAYS!; password shall not ever repeat; password shall not be derived from any dictionary word (!!! - this alone makes the system unusable - !!!) no passwords like "#V3rify||M3||n0w#" because there are three English derived words. Ever try and actually USE such a gawd awful system?. The KICKER though was this: the above reuqirements are for several discrete systems (domain login, RADIUS login, VPN login, etc), and NONE of these systems shared credentials - so you had to change them ALL every three months, AND keep them straight! As an industry, we need to come to terms with the concept that a bad password kept secret is better than a great password written down on every available surface because it changes every 3 months and has irrational requirements. ADP seems to have found a good middle ground policy. Revealing that policy hurts nobody in any way - ADP/Yahoo security is not compromised by this disclosure - so what's the point? -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF 'The right of self defence is the first law of nature: in most governments it has been the study of rulers to confine this right within the narrowest limits possible. Wherever standing armies are kept up, and the right of the people to keep and bear arms is, under any colour or pretext whatsoever, prohibited, liberty, if not already annihilated, is on the brink of destruction.' St. George Tucker _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/