On Thursday 19 January 2006 18:06, Mike Harlan wrote:
I believe that the 6-8 rule is in place because it would take an extremely
long time (or lucky guess) to crack the password at this length.
Especially when used with the other recommended practices (uppercase,
lowercase, special characters, numbers). Also, remember that we have to
put forth as much effort to protect our info as we think that it is worth
to us or our customers.
"... an extremely long time..." , what long can that be for example? 1 week,
month?
-----Original Message-----
From: Sulaiman, Wilmar [mailto:wsulaiman@siddharta.co.id]
Sent: Thursday, January 19, 2006 5:12 AM
To: pen-test@securityfocus.com
Subject: Secure Password Policy?
Dear all,
I noticed that "best practice" for Minimum password length policy is either
6 or 8 characters. I guess SANS institute considered a weak password if it
is less than 8 characters.
I would like to know where they derived the number (6 and 8 characters).
Is there any documentation to backup it up why the best practice for
minimum password length is set to 6?
Wilmar Sulaiman
Risk Advisory Services
KPMG Siddharta Siddharta & Widjaja
32nd Floor, GKBI Building
28, Jl. Jend. Sudirman
Jakarta 10210, Indonesia
J : +62 (0) 21 574 2333
Fax : +62 (0) 21 574 1777
**********************************************************************
The information in this e-mail is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this e-mail
by anyone else is unauthorized. If you have received this communication in
error, please address with the subject heading "Received in error," send to
postmaster@siddharta.co.id, then delete the e-mail and destroy any copies
of it. If you are not the intended recipient, any disclosure, copying,
distribution or any action taken in reliance on it, is prohibited and may
be unlawful. Any opinions or advice contained in this e-mail are subject to
the terms and conditions expressed in the governing Siddharta Siddharta &
Widjaja/PT Siddharta Consulting client engagement letter. Opinions,
conclusions and other information in this e-mail and any attachments that
do not relate to the official business of the firm are neither given nor
endorsed by it.
Siddharta Siddharta & Widjaja/PT Siddharta Consulting cannot guarantee that
e-mail communications are secure or error-free, as information could be
intercepted, corrupted, amended, lost, destroyed, arrive late or
incomplete, or contain viruses.
Siddharta Siddharta & Widjaja - Registered Public Accountants, registered
in Indonesia, is a member firm of KPMG International. PT Siddharta
Consulting, a limited liability company registered in Indonesia, is a
member firm of KPMG International. KPMG International is a Swiss
cooperative of which all KPMG firms are members. KPMG International
provides no professional services to clients. Each member firm is a
separate and independent legal entity and each describes itself as such.
This footnote also confirms that this e-mail message has been swept by
MIMEsweeper for the presence of computer viruses. See www.mimesweeper.com
for more information.
**********************************************************************
---------------------------------------------------------------------------
- --
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
---------------------------------------------------------------------------
- ---
---------------------------------------------------------------------------
--- Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
---------------------------------------------------------------------------
----
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
