Yes, no,....yes...no. You definitely need 'strong' passwords. And they definitely need to be changed on some time basis. The complexity of the password and the time length and schedule of changing depends on the environment. Are you protecting Top Secret Data or a single computer containing family recipes?
Passwords are a hot topic and I'm sure that not only have you gotten tons a mail, but the moderator has surely filtered much sent to the list out. Here are some core reasons followed by some links that can help you make your own decisions about security. Complexity: length and containing characters like 0-9 or #$%&^*@# etc Reasoning: longer strings and increases search space makes 'guessing' or brute forcing a password harder. If it's only alphabetic each character adds a power of 26 tries, if you add numbers each character adds 36, etc. Using non dictionary words reduced the chance or a dictionary based attack (its easier to guess all the words in a dictionary than all the character combinations). In most cases length only matters to a certain point, most systems will take short passwords and pad them to a certain length, and likewise take long passwords and chop off the extra characters to make them a certain length. Changing: this is a more interesting topic. The complexity depends on the system (implementation) and the risk (what you are protecting). The Changing of the password is more about policy. If you are preventing a 'brute force' attack, you might fund a study that shows on average a sufficiently complex password takes 100 days to 'break' or 'guess.' In that case you might set a policy that requires users to change the password every 90 days. But also, how computer-savvy is your user base? If you make users change it too often, you'll end up with users that choose very complex passwords like "afd*&^Dfh33" but then write on a POST-IT note and put it on their monitor or under the keyboard - obviously something we don't want to happen. Do you even want to have them change on a reqular basis? Generally the more information that a "Bad Guy" knows, the better his odds are. If he knows that you are going to change your password next Tuesday, because he knew you changed it 67 days ago, he can start to mount a much more targeted Social Engineering attack. Anyway, I guess the answer is yes...no wait no...well "it depends." -tim http://www.sans.org/rr/authentic/sec_access.php http://www.cert.org/tech_tips/unix_configuration_guidelines.html http://www.sans.org/top20/#W7 http://www.microsoft.com/security/articles/password.asp ;-) http://www.cnn.com/2002/TECH/ptech/03/13/dangerous.passwords/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 1:02 PM To: [EMAIL PROTECTED] Subject: passwords Hello all, one of the favorite subjects in my company seems to be the strength of passwords. We force our users to change their mail password every 90 days. Does this make sense? Why? -- ullmic