Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Password Management

from [Donald N Kenepp] Network Security [Permanent Link]
Subject: RE: Password Management
Date: Mon, 24 Apr 2006 17:50:06 -0400 
Hi All,

  There are several reasons the number seven had been popular in the past.

  Seven might have been seen as an optimal number for passwords at one point
because seven is commonly held as the average number of characters people
are capable of easily remembering.  The truth to this I would have to yield
to the scientists and our phone systems.

  Rather than rewrite someone else's research on password length
recommendations, I'll just toss up a couple quick resources.  The first is
from the archives of Security Focus.  Please note that the article *is* old
and brief; do not stop your research at this article.
 
http://www.securityfocus.com/infocus/1319
http://web.textfiles.com/hacking/advisory.txt

  The second link is to what I believe is some of the original L0phtcrack
information the Security Focus article references.  Again, it should merely
begin to explain where the number seven is coming from.

  You'll have to look around for more details about your specific system
setup and how to best secure it based on the authentication methods you are
using.  While in general the longer the password, the better it will hold
up, password complexity and the encryption algorithm in use play key
factors.

  Sincerely,
    Donald

  

-----Original Message-----
From: Christopher Carpenter [mailto:ccarpenter@dswa.net] 
Sent: Friday, April 21, 2006 4:06 PM
To: Jason T. Hallahan; Crawley, Jim
Cc: security-basics@securityfocus.com
Subject: RE: Password Management

That's patently false.  The longer the password, the better it will hold
up against brute force attacks.  Length and complexity also provide a
measure of protection against those using rainbow tables.

Rainbow Tables (Wikipedia) 
http://en.wikipedia.org/wiki/Rainbow_table

Password Recovery Speeds (Lockdown.co.uk)
http://www.thecrypt.co.uk/lockdown/recovery_speeds.html

Chris

-----Original Message-----
From: Jason T. Hallahan [mailto:jthallah@gmail.com] 
Sent: Friday, April 21, 2006 10:54 AM
To: Crawley, Jim
Cc: security-basics@securityfocus.com
Subject: Re: Password Management

I read somewhere that the optimal password length for a Windows system
is actually 7 alphanumeric characters... can anyone verify or expand
on that?

On 4/20/06, Crawley, Jim <Jim.Crawley@yrbrands.com> wrote:

        Post-it notes on the monitor.



        Really though, it's all pretty straight forward.  Minimum 6-8
characters, no maximum (try to encourage pass-phrases as they're

easier

to remember and harder to guess than simple words), complexity
(combination of alphanumeric characters), 60 day expiration, 5-20
password history.  No exceptions.  None, at all.  Nill.  Nada.  Zip.

        Most programs/systems there's not much you can do about the
storage of the passwords in the system itself, but if you're talking
about end-users then your biggest worry will be what I said in my

first

line.  The best way to avoid this is probably to try to integrate as
many systems as you can to use the same accounts.

        Right now we're working on getting all our in-house and
supplier-built systems working off our Active Directory accounts

pulling

the passwords via Kerberos from our domain controllers.  This however
will also cause the issue of one system being compromised and they all
get compromised.  It's a risk/benefit write-off thing - we think the
risk is worth it as the other option IS the dreaded post-it notes.


-----Original Message-----
From: Securi Net [mailto:securinet2004@yahoo.ca]
Sent: Friday, 21 April 2006 2:44 AM
To: security-basics@securityfocus.com
Subject: Password Management

Hello list members,

Does anyone know of any password management standards that are out
there?

I am looking at drafting an Enterprise wide strategy for managing
passwords, which should encompass change, exceptions to change,

password

storage security, secure practices, categorization of accounts, etc.

What I am trying to accomplish is to give a robust and resilient
structure to all the best practices out there around password
management.

I don't expect to find a silver bullet, but would welcome any

feedback.


Regards

CP

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com



------------------------------------------------------------------------

-
This List Sponsored by: Webroot

Don't leave your confidential company and customer records

un-protected.


Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php


------------------------------------------------------------------------

--




------------------------------------------------------------------------
-

This List Sponsored by: Webroot

Don't leave your confidential company and customer records

un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php


------------------------------------------------------------------------
--





------------------------------------------------------------------------
-
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------





-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Réf. : Re: malware block my PC for to enter in internet, possible?, Michael Shum
Next by Date:  RE: Password Management, cv arun
Previous by Thread:  Re: Password Management, Stephen John Smoogen
Next by Thread:  RE: Password Management, cv arun
Indexes:  [Date] [Thread] [Top] [All Lists]