MSUNAG Archives

MSUNAG Archives


View:

Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font

Options:

Join or Leave MSUNAG
Reply | Post New Message
Search Archives


Subject: Re: What are your password requirements - your input is appreciated
From: Alec Warner <[log in to unmask]>
Reply-To:[log in to unmask]
Date:Fri, 31 Jul 2009 09:11:50 -0700
Content-Type:text/plain
Parts/Attachments:
Parts/Attachments

text/plain (64 lines) 


On Thu, Jul 30, 2009 at 1:16 PM, Charlot, Firmin<[log in to unmask]> wrote:
> Hello all,
>
> We are re-evaluating our password requirements and wondered what others are
> using on their network.
>
> For example:
>
> What is the required password length?

I've been told that a minimum of 8 characters is common (3 trillion
combinations of just [a-z0-9])

>
> Is complexity turned on?

Complexity is an odd option (windows?)  We use cracklib (on linux) to
run dictionary checks on user paswords when they go to change them.  I
woudl recommend something similar (you don't want users to choose
dictionary passwords is the basic premise here).

> How often do people have to change their passwords?

Once a year

>
> Can old passwords be recycled? If so, how old must they do?

Your new password cannot equal your current password; I'm not sure how
useful remembering old passwords is.  I imagine it would encourage a
class of users to (pre/post)fix their current password with something
or increment/decrement it in order to keep it easy for themselves.
Certainly it seems useful to prevent users from using a small rotation
of passwords; but sadly most password changing systems tend to not
tell the user what passwords they have used in the past and so when it
comes time to pick a new one it is a frustrating experience.

Eg. They try password one, the system tells them not to use an old
password.  They try password two, the system tells them not to use an
old password.  They try password three, the system tells them the
password is not complex enough.  They give up and append a z to their
current password (or similar).  It would be nice if the UI just said.
"Pick a new password, it cannot be any of your old passwords and here
they are 'foo' 'blar' baz'."

>
> Any other requirements that you are using that are not mentioned above would
> helpful as well.

We have a blacklisted set of passwords that we disallow users to use.
Things like the company name, the users name, the users username, and
a set of random well-known default passwords we have used in the past.
 We have a custom check for these.

>
> Thanks.
>
>
>
> Firm.
>
>
>
>

Back to: Top of Message | Previous Page | Main MSUNAG Page

Permalink


LIST.MSU.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager