lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060312183202.M79019@ubzr.zsa.bet>
Date: Mon Mar 13 00:43:35 2006
From: measl at mfn.org (J.A. Terranson)
Subject: Yahoo security give blogger the thumbs up


On Sun, 12 Mar 2006, SO SECURITY RESEARCH INSTITUTE wrote:

> ADP
> were unavailable for comment at time of this message being submitted to
> Full-Disclosure mailing list. http://tinyurl.com/plqt3

This URL describes ADPs not unreasonable password policy (8-14 characters,
must contain special chars, no incrementing or decrementing chars, and no
repeats).  Sure, it's annoying, but it's also good practice.  At least
they haven't gone over the edge, like, oh, a large tier-1 NSP with a 6
letter name that has all the above requirements, AND:

	Password shall change EVERY 90 DAYS!;
	password shall not ever repeat;
	password shall not be derived from any dictionary word
	  (!!! - this alone makes the system unusable - !!!)
  	  no passwords like   "#V3rify||M3||n0w#"   because
	  there are three English derived words.  Ever try and
	  actually USE such a gawd awful system?.

	The KICKER though was this: the above reuqirements are for several
discrete systems (domain login, RADIUS login, VPN login, etc), and NONE of
these systems shared credentials - so you had to change them ALL every
three months, AND keep them straight!

As an industry, we need to come to terms with the concept that a bad
password kept secret is better than a great password written down on every
available surface because it changes every 3 months and has irrational
requirements.

ADP seems to have found a good middle ground policy.  Revealing that
policy hurts nobody in any way - ADP/Yahoo security is not compromised by
this disclosure - so what's the point?

-- 
Yours,

J.A. Terranson
sysadmin@....org
0xBD4A95BF


'The right of self defence is the first law of nature: in most governments
it has been the study of rulers to confine this right within the narrowest
limits possible. Wherever standing armies are kept up, and the right of
the people to keep and bear arms is, under any colour or pretext
whatsoever, prohibited, liberty, if not already annihilated, is on the
brink of destruction.'

St. George Tucker

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ