[ale] Password standards

JD jdp at algoloma.com
Tue Oct 18 15:16:19 EDT 2011


You might want to ask this question on the DC404 list. Experts over
there, they are.

Why are you still using passwords at all?
Just to support older systems?

I though most security conscious organization had switched to
certificate-based authentication a few years ago wherever they could,
and used a smart-card with a PIN/passphrase to access the certs.




On 10/18/2011 02:23 PM, Chris Fowler wrote:
> Okay,  I think the ale box will flood after this.
> 
> I'm working on some changes to our system to support a huge list of
> password creation requirements from a government agency.  Luckily I do
> not have to do them all.  I only do what we can do and then we get a
> waiver for the other requirements.
> 
> Example is: Password must contain at least one of these: '!@$#'
> 
> I do not want this thread to turn into a discussion about the best
> passwords or why those in gov think they know the best passwords.   IMO,
> I don't like obtuse passwords because you motivate people to write them
> down.  
> 
> While doing this I became curious as to the source of their requirements
> and if there was a 'best practices' document anywhere I could use as a
> standard for other things.
> 
> I'm having to check for things like:
> 
> Must not contain the user name
> Must contain a number
> Must contain a special char '!@#$'
> Must not contain two consecutive like characters 'aa'
> Must contain at least one capitalized letter.
> 
> Is there a spec that the passwd program conforms too?  I know that it
> will provide a warning but not an error.  I even seen web pages that
> guage the "strength" based on content.
> 
> Looking for something that may be EASY TO READ :) and written down.
> 
> Chris
> 
> 


More information about the Ale mailing list