LISTSERV 16.0 - MSUNAG Archives

On Thursday 30 July 2009 16:16:14 Charlot, Firmin wrote:
> Hello all,
>
> We are re-evaluating our password requirements and wondered what others
> are using on their network.
>
> For example:
>
> What is the required password length?
>
> Is complexity turned on?
> How often do people have to change their passwords?
>
> Can old passwords be recycled? If so, how old must they do?
>
> Any other requirements that you are using that are not mentioned above
> would helpful as well.
>
> Thanks.
>
>
>
> Firm.

I tell users to make long complex passwords of 16 characters, so as to
make it harder for windows pw crackers to work.

I DO NOT require any systems that I run to expire passwords.  It is
folly to do this: make people create new passwords when they don't
want to and they lose them, and far worse, post them on their
monitors so they remember them.  I've been to too many places
when I did a lot of consulting where I saw this, and it was really
scary, some of the accounts/systems that this happened on.

Instead I try to get people to focus on passwords that are weird
and specific to them, and won't be easily guessed.  So for example
the pw

       nittfagmtcttaitc

is from the phrase "now is the time for all good men to come to
the aid of their country".  I ask folks to think of a stanza from a
poem or a song and use some character of each word of it for
some great weird looking passwords.

I've always avoided using any system horrid enough to remember
old passwords, and its a wretched security risk.  That cache has
the passwords to other accounts that people use, in all likelyhood,
and if stolen represents a great security problem in and of itself.

I also try and explain how dangerous "public" systems are, and
how easily passwords can be sniffed, either in software, or hardware
keyloggers.  To help get around that problem I recommend that
people bring up an editor or notepad or anything that can take
text, and type one character in at the password prompt, then
one or more in the editor, then the next char in the password
prompt and so on, so the keylogger sees a lot of stuff where 
the actual pw is intermingled with other stuff.

I'm sure I have more but I'm frazzled right now.

--STeve Andre'