From: Sean Earp (smearp@mac.com)
Date: Fri Jan 20 2006 - 08:58:25 EST
Jesper Johansson, Security Program Manager at Microsoft, has written
a very detailed and scientific analysis regarding the relative
benefits of using passwords versus passphrases, and comes to some
interesting conclusions. It is also a good analysis of the "why'"
behind specific decisions regarding setting up a Secure Password
Policy. I could not possibly do the article justice by paraphrasing,
so here are the links:
The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3
http://www.microsoft.com/technet/security/secnews/articles/
itproviewpoint091004.mspx
The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx
-Sean
On Jan 19, 2006, at 11:04 AM, Jarmon, Don R wrote:
> I consider a Microsoft best practice would be 15 characters for
> users along
> with other migrating factors such as password aging, event logging/
> alerting,
> and lockout capabilities. Pass phases are normally easier to use /
> remember
> than trying to force into 6-8 characters.
>
> My D0g's N@me is Sp0t. 22 characters
> MDNiS. 6 characters
>
>
>
>
> -----Original Message-----
> From: Sulaiman, Wilmar [mailto:wsulaiman@siddharta.co.id]
> Sent: Thursday, January 19, 2006 4:12 AM
> To: pen-test@securityfocus.com
> Subject: Secure Password Policy?
>
> Dear all,
>
> I noticed that "best practice" for Minimum password length policy is
> either 6 or 8 characters. I guess SANS institute considered a weak
> password if it is less than 8 characters.
>
> I would like to know where they derived the number (6 and 8
> characters).
> Is there any documentation to backup it up why the best practice for
> minimum password length is set to 6?
>
> Wilmar Sulaiman
> Risk Advisory Services
> KPMG Siddharta Siddharta & Widjaja
> 32nd Floor, GKBI Building
> 28, Jl. Jend. Sudirman
> Jakarta 10210, Indonesia
> J : +62 (0) 21 574 2333
> Fax : +62 (0) 21 574 1777
>
> **********************************************************************
> The information in this e-mail is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this
> e-mail
> by anyone else is unauthorized. If you have received this
> communication in
> error, please address with the subject heading "Received in error,"
> send to
> postmaster@siddharta.co.id, then delete the e-mail and destroy any
> copies of
> it. If you are not the intended recipient, any disclosure, copying,
> distribution or any action taken in reliance on it, is prohibited
> and may be
> unlawful. Any opinions or advice contained in this e-mail are
> subject to the
> terms and conditions expressed in the governing Siddharta Siddharta &
> Widjaja/PT Siddharta Consulting client engagement letter. Opinions,
> conclusions and other information in this e-mail and any
> attachments that do
> not relate to the official business of the firm are neither given nor
> endorsed by it.
>
> Siddharta Siddharta & Widjaja/PT Siddharta Consulting cannot
> guarantee that
> e-mail communications are secure or error-free, as information
> could be
> intercepted, corrupted, amended, lost, destroyed, arrive late or
> incomplete,
> or contain viruses.
>
> Siddharta Siddharta & Widjaja - Registered Public Accountants,
> registered in
> Indonesia, is a member firm of KPMG International. PT Siddharta
> Consulting,
> a limited liability company registered in Indonesia, is a member
> firm of
> KPMG International. KPMG International is a Swiss cooperative of
> which all
> KPMG firms are members. KPMG International provides no professional
> services
> to clients. Each member firm is a separate and independent legal
> entity and
> each describes itself as such.
>
> This footnote also confirms that this e-mail message has been swept by
> MIMEsweeper for the presence of computer viruses. See
> www.mimesweeper.com
> for more information.
> **********************************************************************
>
>
> ----------------------------------------------------------------------
> ------
> --
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications
> on your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are
>
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers
> do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ------
> ---
>
> ----------------------------------------------------------------------
> --------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications
> on your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT