FIPS 112 - Password Usage:
http://www.itl.nist.gov/fipspubs/fip112.htm
*3.3 Lifetime*
The security provided by a password depends on its composition, its
length, and its protection from disclosure and substitution. The risk
associated with an undetected compromise of a password can be minimized
by frequent change. If a password has been compromised in some way and
if a new password is created that is totally independent of the old
password, then the continued risk associated with the old password is
reduced to zero. Passwords thus should be changed on a periodic basis
and must be changed whenever their compromise is suspected or confirmed.
The useful lifetime of a password depends on several variables, including:
* The cost of replacing a password;
* The risk associated with compromise;
* The risk associated with distribution;
* The probability of "guessing" a password;
* The number of times the password has been used;
* The work of finding a password using exhaustive trial and error
methods.
Password systems should have the capability of replacing the password
quickly, initiated either by the user or the Security Officer. Passwords
should be changed voluntarily by the owner whenever compromise is
suspected and should be changed periodically with a maximum interval
selected by the Security Officer. The interval may be a period of time
or depend on a number of uses. The password system itself should have
automated features which enforce the change schedule and all the
security criteria for the installation. The system should check that the
new password is not the same as the previous password. Very sensitive
applications may require that a new password not be the same as any of
the previous two, three, ..., N passwords. Such a system requires
storage for N passwords for each user. It should not be a requirement of
a system that the password for each user be unique. Having a new
password rejected for this reason confirms that another user has the
password.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
Password cracking programs are why passwords are changed
The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3:
http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx
The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3:
http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx
Ramon Linan wrote:
All this comments are great, does anyone have a url or document with a
list of reason for having the passwords expiring or explaining why it is
not a good thing to have non-expiring password?
Thanks
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline
Sent: Tuesday, September 19, 2006 12:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Interesting point.... It doesn't mean a darn thing but it would
interesting to see the sales folk squirm if they were asked to sign a
disclaimer document stating that they'd be responsible for password
related security breeches. What a shame it wouldn't be enforceable!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, September 19, 2006 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
I have been told (BTW) by the patch management tool folks that still
support customers that buy NT patches -- that their main customers that
buy NT patches from Microsoft are banks and financial institutions.
Consider as well that when I walk into Bank of America they are running
DOS based apps.
I wouldn't use "banks" as a shining example of security policy...when
BofA has
1. allowed slammer to nail their ATM networks 2. Lost backup tapes
causing identity theft
as two such shining examples of security policy in action.
Who's going to be on the firing line when something happens? Bank of
America? Or your buns?
If it's your buns, are your comfortable with not changing passwords?
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
I have been involved in externally facing Microsoft sponsored
extranet/Sharepoint sites.
The password gets changed.
We have a GUI web portal and we are forced to change the password.
Sales people set your security policy these days?
Ramon Linan wrote:
HI,
I have a SharePoint site for a client, it is driving me crazy because
the sales people are telling me that the users for this site, cant
have their password expiring. The client is a government agency, so I
don't want to be responsible for any information being stolen.
How big of a security risk is not having password expiring? it
seems to me like security 101, but the sales guy is saying that
banks don't
ask you to change your password every X day, good point.
Something I was thinking is having SharePoint authenticating with
their LDAP server, is this possible to do? can anybody point to a url
on how to do this?
thanks
Rezuma
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx