Kurt, I don't know if you are being serious on this or not, but I am sure you are going to run into a boatload of issues with trying to implement that type of standard.
Passwords anymore are passé, it's the weakest form of authentication and easiest to crack. Honestly, if you want to increase the level of security at your company I would be looking into 2-factor authentication systems like smart-cards proximity cards or otherwise. Z -----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 25, 2007 3:15 PM To: NT System Admin Issues Subject: Re: Audit recommendation I'm going to seriously propose, at my place of work, a new password standard for stanard users: 16 or more characters, the usual password complexity, changed once a year. I think it's a good tradeoff. On 12/24/07, kenw <[EMAIL PROTECTED]> wrote: > In general, I think the idea of progressive back-off is a good one, and > probably simple to implement. > > Long, hard-to-remember, frequently-changed passwords are a bad idea. > They get written down in all sorts of places. I've yet to hear a good > argument for frequent password changes in most environments, for > ordinary users. If other aspects of password security are well managed, > it accomplishes little, and in practice, most people cheat. > > Think testing. Software usability testing seems to be done rarely in > the Microsoft world. It does no good to say "people should" this or > that. Live in the real world, write software that actually, testably > delivers the results you want it to. > > For example, consider software that actually _helps_ people create > passwords that are both hard to guess and relatively easy to remember. > No, it's not a silly idea, it exists, but it's not from Microsoft. > > /kenw > > > -----Original Message----- > > From: Ben Scott [mailto:[EMAIL PROTECTED] > > Sent: December-24-07 1:10 AM > > To: NT System Admin Issues > > Subject: Re: Audit recommendation > > > > On Dec 23, 2007 11:00 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > > >> Brute force attacks can be effective against even long passwords, > > > > > > Really? How long do you think it woudl take you to brute force a 15 > > character, complex, password, over FTP? > > > > It all depends on how you define "long" and "complex". And I missed > > the part where this was over FTP. But yes, if you have a 20 character > > password consisting of an evenly-distributed random selection all > > possible characters one can type on a keyboard, and you're connected > > via remote Internet link, it will be very hard to brute force in > > reasonable time. Or even unreasonable time. But if you're on the LAN > > and the password is "jsmith02051982" or some other similar password > > that's very likely to be in actual use in the real world, then not so > > much. > > > > Yes, one can -- and, indeed, should -- decry weak passwords as a big > > practical security problem. That doesn't mean the situation isn't > > realistic. It also doesn't mean countermeasures against > > brute/dictionary attacks should be abandoned. > > > > > Total effort is more than writing a few lines of code (someone has > to > > do the documentation, it needs to work other APIs, > > > ISVs would need to be notified, SDKs/documentation would need to be > > updated, regression tests and threat models > > > written and tested etc) > > > > I think you're being needlessly difficult here, so I'll respond in > > kind: Lack of documentation has never stopped Microsoft before. > > Working with other APIs is a no-op; this is a delay in the password > > validation routine, not something that communicates with other code. > > ISVs can presumably be notified via all the usual press > > release/newsletter. SDK is a no-op (ibid). Documentation you already > > mentioned. Threat models? All you need is something that repeatedly > > tries the same (incorrect) password. I can do that in a batch file. > > > > Regression testing is the one significant and legitimate objection > > in your list. Code/behavior changes can have surprising > > repercussions, and for something as commonly needed as password > > validation, there are a lot of places it could hit. Touche. > > > > But I maintain, compared to all the resources Microsoft puts into > > much less productive ends, this would be a justifiable and reasonable > > persuit. But I suppose Microsoft has better things to do, like > > writing the next version of Active Windows Desktop Search Live > > Ultimate Edition .NET Professional. Hurmph. > > > > -- Ben > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
