[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Provisioning, Password Strength (was RE: comments)

To: <opsec@ops.ietf.org>
Subject: RE: Provisioning, Password Strength (was RE: comments)
From: "Budd, Fred" <Fred.Budd@wcg.com>
Date: Wed, 18 Jun 2003 17:52:52 -0500

> Actualy, it sounds like two seperate requirements:
>  (1) Enforce the selection of strong passwords.
>  (2) Support ACS servers.
> I could still use a definition of "strong".

Well, not being static would be a good first step. ;-)

For me, within the context of a network element, a strong password
minimally consists of some mix of the following controls, with []
being my recommendation for the default:
Must be at least [6-8] characters long
Must contain [3] of the following elements
   At least [1] Lower case alphabetic character
   At least [1] Upper case alphabetic character
   At least [1] Numeric character
   At least [1] Special character
Must not contain the associated account identifier (user name)
Must differ by at least [3] characters from the previous password
Must not have been used in the last [3] password iterations and/or
[90] days

None of which should be challenging for any device to implement.
 
The benefit for me is twofold.
(1) It gets the device to support the minimum set of controls that
I generally require from a policy perspective. I don't actually
care what the default setting is, that's really a procedural or
personnel issue to deal with during initial configuration. But I
do care about having the option to enforce any policy that I may
want to. And I _really_ want this functionality to be present based
on my experiences from being audited and being an auditor.
(2) Yes, this could all be done on an ACS. And at this time there
is another requirement in the document mandating all devices
support ACS. However, it is an assumption to believe that the
network element has accessibility to an ACS. What if my management
interface isn't routable? What if I'm not in a normal operating
state? What if I am that mom and pop shop or home user wanting access from that cheap cable connection? Those are all situations
that I want options for in my operational framework. Even if I only
ever use the functionality for one local account that is only used
in disaster recovery situations.

-Fred Budd

Prev by Date: Re: Provisioning, Password Strength (was RE: comments)
Next by Date: [OFF TOPIC] stupid CPE tricks
Previous by thread: Comments/suggestions on draft
Next by thread: Limits of stealthing
Index(es):
- Date
- Thread