Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Fwd: Re: Secure Password Policy?]

from [dave kleiman] Network Security [Permanent Link]
Subject: RE: [Fwd: Re: Secure Password Policy?]
Date: Fri, 20 Jan 2006 00:45:29 -0500 
You might want to take a look at:

Perfect Passwords: http://www.syngress.com/catalog/?pid=3420
It is an excellent resource for helping to decide a password policy length.

It is quick read, and not that expensive ($17 at Amazon):
http://www.amazon.com/gp/product/1597490415/qid=1137735625/sr=8-1/ref=pd_bbs
_1/102-4158278-9985763?n=507846&s=books&v=glance


And the free version of LC5??, maybe we can keep it around for a little
while:
http://www.lcpsoft.com/english/comparison.htm


Dave


     -----Original Message-----
     From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
     [mailto:sbradcpa@pacbell.net]
     Sent: Thursday, January 19, 2006 13:42
     To: pen-test@securityfocus.com
     Subject: [Fwd: Re: Secure Password Policy?]



     -------- Original Message --------
     Subject:   Re: Secure Password Policy?
     Date:      Thu, 19 Jan 2006 10:41:31 -0800
     From:      Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
     <sbradcpa@pacbell.net>
     To:        Sulaiman, Wilmar <wsulaiman@siddharta.co.id>,
     wsulaiman@siddharta.co.id
     References:
     <5F63869CFE03124796730178626BF04D02476B95@IDJKTEXC92.id.kwo
rld.kpmg.com>



     Your password policy should not be 6.. .but as long as
     deemed appropriate for the risk of the device you are protecting.

     The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3:
     http://www.microsoft.com/technet/security/secnews/articles/
     itproviewpoint100504.mspx
     The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3:
     http://www.microsoft.com/technet/security/secnews/articles/
     itproviewpoint091004.mspx
     The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3
     -- TechNet Column - Security Management - December 2004:
     http://www.microsoft.com/technet/community/columns/secmgmt/
     sm1204.mspx

     If lmhashes are enabled in a firm, a 6 character password
     is trivial to break/sniff with LC5 [well until Symantec
     sunsets it anyway....]

     Protecting your Windows Network [Johansson/Riley] has an
     excellent chapter on passwords.
     http://www.protectyourwindowsnetwork.com/default.htm


     Sulaiman, Wilmar wrote:

     >Dear all,
     >
     >I noticed that "best practice" for Minimum password
     length policy is
     >either 6 or 8 characters. I guess SANS institute considered a weak
     >password if it is less than 8 characters.
     >
     >I would like to know where they derived the number (6 and
     8 characters).
     >Is there any documentation to backup it up why the best
     practice for
     >minimum password length is set to 6?
     >
     >Wilmar Sulaiman
     >Risk Advisory Services
     >KPMG Siddharta Siddharta & Widjaja
     >32nd Floor, GKBI Building
     >28, Jl. Jend. Sudirman
     >Jakarta 10210, Indonesia
     >J : +62 (0) 21 574 2333
     >Fax : +62 (0) 21 574 1777
     >




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DoS problem., Matthew Baker
Next by Date:  Re: Secure Password Policy?, Tim
Previous by Thread:  [Fwd: Re: Secure Password Policy?], Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Thread:  Pen-Testing a japanese site..., Dhruv Soi
Indexes:  [Date] [Thread] [Top] [All Lists]