-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is overkill. While it certainly sounds as if this would require secure
passwords, a situation has been created where passwords will be so difficult for users
to remember that they'll be writing them down, or they'll just use a sequence to get
past password changes (i.e. password1, password2, etc.). Then all security goes out
the window.
An eight character minimum is a good policy, simply because of the way authentication
works in NT. A mix of upper and lower case is a good idea, because it makes brute
force attacks much more difficult than they would be against only lower case passwords
(52^8 vs. 26^8). Brute force attacks shouldn't work anyway because you should be
locking accounts after a few bad login attempts, but this still doesn't hurt.
Once you get beyond this point, I think you need to choose priorities. If you want to
require users to memorize stronger passwords, with digits and punctuation, it's not
necessarily a good idea to also enforce frequent password changes. If you want
frequent changes, you might have to live with passwords that will be somewhat less
secure but easier for users to remember.
btw, you might also want to find out about passfilt.dll:
http://support.microsoft.com/support/kb/articles/q161/9/90.asp?LNG=ENG&SA=TECH&FR=1
- -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: April 07, 2000 12:16
To: Mailing Lists
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: WinNT Passwords Policy
Here you go.
1) Minumum of 10 characters (NT supports up to 14)
2) Must contain at least one Capitalized letter, one lower case letter and one
digit
(and if you want, one of ":;().,<>!@#$%^&*-_=+"
3) Must not be similar to previous password
4) Can not be any of the last 15 passwords
5) Can not resemble the user ID
6) Every user gets their own unique ID
7) No shared ID's
That's about it.
- --------------------------------------------------------------------------------
Jerry T. Kendall, CISSP Celestica International Inc.
Manager, Worldwide Information Security 12 Concorde Place, 7th Floor
Corporate Information Security Toronto, Ontario, M3C 3R8, CANADA
http://www.celestica.com Tel: +1.416.386.7739
[EMAIL PROTECTED] Fax: +1.416.386.7707
- --------------------------------------------------------------------------------
Mailing Lists <[EMAIL PROTECTED]> on 04/07/2000 12:06:55 PM
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc: (bcc: Jerry Kendall/Inc/Celestica)
Subject: WinNT Passwords Policy
Hi all,
I'd like to have your opinion and personal experience regarding what policy
to implement when dealing with passwords on a pure Windows Network (Windows
98, Windows NT 4 workstation and servers, Windows NT 2000 professional and
server). The NT domain is based on a NT Server 4 SP5, and the users get
mail from MS Exchange 5.5 SP3.
At my old job, whe had a mix environment of WinNT, Linux and Suns, so the
policy was to have a password of at least 8 characters long, containing
upper and lower case letters, numbers and one of those:
:;().,<>!@#$%^&*-_=+
I just want your opinion as to know if in a pure NT environment, I need to
have something that strict, or I can loosen it up a little and keep the
same strenght.
What is your opinion and what do you use/recommend in that matter?
Thanks!
-+-
Mario Biron, CCA, System Administrator
DNRC Title: Official and Proud Sponsor of the Y2K Problem
- -
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOO4QcD1j58pgs53KEQJ+OgCfTeXSwXPRnG8NStC1b8T2Oj/AK+gAn0HS
H53shIGtPiuKXBATV6YczM6c
=TkP0
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
