From: dave kleiman (dave@davekleiman.com)
Date: Fri Jan 20 2006 - 00:45:29 EST
You might want to take a look at:
Perfect Passwords: http://www.syngress.com/catalog/?pid=3420
It is an excellent resource for helping to decide a password policy length.
It is quick read, and not that expensive ($17 at Amazon):
http://www.amazon.com/gp/product/1597490415/qid=1137735625/sr=8-1/ref=pd_bbs
_1/102-4158278-9985763?n=507846&s=books&v=glance
And the free version of LC5??, maybe we can keep it around for a little
while:
http://www.lcpsoft.com/english/comparison.htm
Dave
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Thursday, January 19, 2006 13:42
To: pen-test@securityfocus.com
Subject: [Fwd: Re: Secure Password Policy?]
-------- Original Message --------
Subject: Re: Secure Password Policy?
Date: Thu, 19 Jan 2006 10:41:31 -0800
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<sbradcpa@pacbell.net>
To: Sulaiman, Wilmar <wsulaiman@siddharta.co.id>,
wsulaiman@siddharta.co.id
References:
<5F63869CFE03124796730178626BF04D02476B95@IDJKTEXC92.id.kwo
rld.kpmg.com>
Your password policy should not be 6.. .but as long as
deemed appropriate for the risk of the device you are protecting.
The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3:
http://www.microsoft.com/technet/security/secnews/articles/
itproviewpoint100504.mspx
The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3:
http://www.microsoft.com/technet/security/secnews/articles/
itproviewpoint091004.mspx
The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3
-- TechNet Column - Security Management - December 2004:
http://www.microsoft.com/technet/community/columns/secmgmt/
sm1204.mspx
If lmhashes are enabled in a firm, a 6 character password
is trivial to break/sniff with LC5 [well until Symantec
sunsets it anyway....]
Protecting your Windows Network [Johansson/Riley] has an
excellent chapter on passwords.
http://www.protectyourwindowsnetwork.com/default.htm
Sulaiman, Wilmar wrote:
>Dear all,
>
>I noticed that "best practice" for Minimum password
length policy is
>either 6 or 8 characters. I guess SANS institute considered a weak
>password if it is less than 8 characters.
>
>I would like to know where they derived the number (6 and
8 characters).
>Is there any documentation to backup it up why the best
practice for
>minimum password length is set to 6?
>
>Wilmar Sulaiman
>Risk Advisory Services
>KPMG Siddharta Siddharta & Widjaja
>32nd Floor, GKBI Building
>28, Jl. Jend. Sudirman
>Jakarta 10210, Indonesia
>J : +62 (0) 21 574 2333
>Fax : +62 (0) 21 574 1777
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT