Mailing Lists wrote:
>
> I'd like to have your opinion and personal experience regarding what
> policy to implement when dealing with passwords on a pure Windows
> Network (Windows 98, Windows NT 4 workstation and servers, Windows
> NT 2000 professional and server). The NT domain is based on a NT
> Server 4 SP5, and the users get mail from MS Exchange 5.5 SP3.
>
> At my old job, whe had a mix environment of WinNT, Linux and Suns,
> so the policy was to have a password of at least 8 characters long,
> containing upper and lower case letters, numbers and one of those:
> :;().,<>!@#$%^&*-_=+
>
> I just want your opinion as to know if in a pure NT environment, I
> need to have something that strict, or I can loosen it up a little
> and keep the same strenght.
All of this is IMHO, of course. Keep the old rules. At the request
of our users, we periodically loosened up the restrictions based on
assurances that users would pick strong passwords and change them
periodically -- and then we ran crack tools to test. On a regular
basis, our Windows users' passwords failed, while our users we were
more familiar with *nix strictures successfully passed. We
tightened up the rules again.
Since passwords are a frequent point of failure, it is important to
keep the rules fairly strict.
(One caveat -- if the rules are -too- strict, we found that people
were picking very good passwords -that they couldn't remember-, and
thus were writing them down in semi-obvious places. There should be
a balance between easy to type and/or remember and hard to guess,
which is always a tight line to tread.)
> What is your opinion and what do you use/recommend in that matter?
Well, for one thing, if you're in an environment that needs local
security, I'd reduce my dependence on Windows 95/98 machines. For
some sites, the lack of security at the desktop level may not be an
issue, though, since there is security which meets most needs at the
network level.
-- LJM
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
