Network Security: Detailed info on Re: Why doesn't Amazon enforce a password policy?

Subject:	Re: Why doesn't Amazon enforce a password policy?
Date:	Fri, 27 Oct 2006 08:41:39 -0400

Admittedly it's been a long time since I bought something on there,
but don't you have to enter the credit number ever time, regardless of
having logged in and used it before? (Correct me if I'm wrong, as I
very likely could be..) So there's really nothing in your Amazon user
profile worth protecting beyond the most basic efforts.

Does this also apply to your company?

On 10/24/06, James Strassburg <JStrassburg@directs.com> wrote:

There is a small war going on where I work.  I am trying to get a
password policy enforced for our web applications and certain business
leaders are opposing it.  There are two areas of opposition:

1. Minimum password length of 6 (currently 4, 6 was going to be a
compromise).
2. Expiration of passwords (currently none).

Strength requirements on the password content seems to be ok with them.

These leaders compare our business with Amazon (a bit of a reach but we
go with it for argument's sake) and their main argument for not
enforcing a minimum password length and password expiration is that
Amazon doesn't do it.

How should I go about convincing them that Amazon.com is wrong and the
fact that they haven't had a severe account breach is no reason not to
implement a policy ourselves?  Or, to play devil's advocate with myself,
if I'm wrong, why doesn't Amazon enforce a password policy?

On a side note, the development work for implementing the policy is
already done.  It was done as part of a separate project and just not
turned on until this argument could be resolved so there will be almost
no development cost associated with implementing the policy.

Thanks for your feedback.

James Strassburg


-------------------------------------------------------------------------
Sponsored by: Watchfire

Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have
seen, and outlines a guideline for developing secure web applications.
Download our The Twelve Most Common Application-level Hack Attacks
whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008YTi
--------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan delivers new remediation capabilities, key regulatory compliance reporting, and productivity enhancements that dramatically improve, automate and streamline users' ability to quickly find, remediate and manage web application security vulnerabilities. Change the way you think about application security testing - download AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Why doesn't Amazon enforce a password policy?, Tom Whiting Re: Why doesn't Amazon enforce a password policy?, Jeff Robertson <= RE: Why doesn't Amazon enforce a password policy?, James Strassburg Re: Why doesn't Amazon enforce a password policy?, Jeff Robertson Re: Why doesn't Amazon enforce a password policy?, Gunnar Rene Øie Re: Why doesn't Amazon enforce a password policy?, Gunnar Rene Øie RE: Why doesn't Amazon enforce a password policy?, Brooks, Shane Re: Why doesn't Amazon enforce a password policy?, Jamie Riden RE: Why doesn't Amazon enforce a password policy?, Jason Gregson

Previous by Date:	Re: Why doesn't Amazon enforce a password policy?, Tom Whiting
Next by Date:	RE: Why doesn't Amazon enforce a password policy?, James Strassburg
Previous by Thread:	Re: Why doesn't Amazon enforce a password policy?, Tom Whiting
Next by Thread:	RE: Why doesn't Amazon enforce a password policy?, James Strassburg
Indexes:	[Date] [Thread] [Top] [All Lists]