[unisog] Password policies

Jim Dillon Jim.Dillon at cusys.edu
Wed Apr 19 16:21:47 GMT 2006

New password policies are being defined, but the last stage agreement
for a minimum standard across the campuses was:


8 Chars.

3/4 hardening factors

No Dictionary Words (where possible and applicable, not always on low
risk systems)

Quarterly (90 Day) Change

Limited tries.  (5 was thrown around, but the actual number is in debate
due to DOS possibilities)


These factors will then change appropriately based on the sensitivity of
the data and computing assets being protected.  Essentially strengthened
accordingly based on risk assessment factors.


I propose that change schedules should reflect common business cycles,
such as seasonal hire/fire cycles, or in an educational institution,
semesterly cycles might make more sense, for the average system.  This
will catch many of the turnover issues, which is where the majority of
the value is.


On limiting tries, I suggest a large number.  If the other factors are
all in place, 100 guesses will still get you nowhere, neither will 1000.
Might as well make it a tad harder to DOS the system.  The point is to
force time breaks such that brute force attempts cannot be pursued
successfully.  Then a simple delay/lockout, say 10-15 minutes would
still be largely sufficient to hamper brute force methods. 


On the brighter side, the effectiveness of passwords in the face of
spyware, rainbow tables, rootkits, keyboard loggers and the like is
pitiful, and with only a slight growth in the percentage of infections
of these sorts, the password as a stand-alone security construct will be
dead.  Only when combined with a secondary authenticator (a have or
"are" factor) will passwords have any meaningful contribution to
security access and providing authentication.


Best regards,





Jim Dillon, CISA, CISSP

IT Audit Manager, CU Internal Audit

jim.dillon at cusys.edu





From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Seth Shestack
Sent: Wednesday, April 19, 2006 8:11 AM
To: unisog at lists.sans.org
Subject: [unisog] Password policies


We are looking at strengthening our password policy as part of a web
single sign on project.

When we presented a proposed password policy, we were asked , What do
other Universities do?


Some questions:

1. Do you have a password requirements policy?

2. Do you mandate password changes?

3. If so what is the frequency of these changes?

4. What are your password complexity rules?

5. What are your password history rules?






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20060419/47b9836c/attachment-0001.htm

More information about the unisog mailing list