Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Why doesn't Amazon enforce a password policy?

from [Jamie Riden] Network Security [Permanent Link]
Subject: Re: Why doesn't Amazon enforce a password policy?
Date: Sat, 28 Oct 2006 18:11:44 +1300
On 25/10/06, James Strassburg <JStrassburg@directs.com> wrote: 
There is a small war going on where I work.  I am trying to get a
password policy enforced for our web applications and certain business
leaders are opposing it.  There are two areas of opposition:

1. Minimum password length of 6 (currently 4, 6 was going to be a
compromise).
2. Expiration of passwords (currently none).

Strength requirements on the password content seems to be ok with them.

These leaders compare our business with Amazon (a bit of a reach but we
go with it for argument's sake) and their main argument for not
enforcing a minimum password length and password expiration is that
Amazon doesn't do it.


If you're losing more revenue by putting customers off with your
password policy, than you make by enforcing one it's not 'worth'
doing. At least, if you think about it purely in terms of ROI, but
that is how some people think about it.

Now, I doubt Amazon lose many sales because people are concerned about
their lack of a password policy - the canny ones will use a decent
password anyway, and the rest don't mind. But if you make the
customer's life difficult, some will give up on the site. (I'm not
saying you shouldn't enforce a password policy despite this - I would
push it, but then I'm not an accountant.)

Can't you make the strength requirements 'at least n bits of entropy'?
That should make up for not having a length requirement, and that's
all the minimum length is meant to achieve anyway. And make sure you
do the ROI calculations for *your* business model and don't let them
get away with the 'we're nearly Amazon, we'll do what they do' thing.

cheers,
Jamie
--
Jamie Riden, CISSP / jamesr@europe.com / jamie.riden@gmail.com
NZ Honeynet project - http://www.nz-honeynet.org/

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan delivers new remediation capabilities, key regulatory compliance reporting, and productivity enhancements that dramatically improve, automate and streamline users' ability to quickly find, remediate and manage web application security vulnerabilities. Change the way you think about application security testing - download AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Fuzzer Sources, crazy frog crazy frog
Next by Date:  Re: Search Engine for Security and eSecurity Community, Rory McCune
Previous by Thread:  RE: Why doesn't Amazon enforce a password policy?, Brooks, Shane
Next by Thread:  RE: Why doesn't Amazon enforce a password policy?, Jason Gregson
Indexes:  [Date] [Thread] [Top] [All Lists]