We invaiably suggest that passwords have the following characteristics:
- At least seven (7) characters long
- At least one upper case character, more than one is better
- At least one number
- At least one special character
- A life of not more than 42 days (that's 6 weeks for those who are numerically challenged)
- Mandatory password change every 42 days
- Passwords cannot contain any part of the username
- Passwords cannot be reused for at least 13 months.
One of our clients insisted on keeping passwords SIMPLE. The administrative password was a subset of the company name and all users shared the same short password. They held firm and nothing we said could make them change their mind -- that is UNTIL
- There was a requirement to reboot their server
- The system immediately rejected the administrator username and pasword when entered
- No amount of guessing resulted in a username/password combo that worked
- The perpetrator also hijacked disk space and turned off all administrative reporting so that network administrators would have no idea what was happening
- They took a two day outage while the server was reloaded.
Was it worth what happened to keep things simple? I argue NO.
No comments:
Post a Comment