LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: passwords
From:	Michael Edwards <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Tue, 14 Dec 2004 14:10:17 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (51 lines)

At 12:47 PM 12/14/2004, Joseph Showl wrote:
>I have just been informed by our IS dept that according to the SOX act
>that all future passwords have to be of six character long with one of
>the character being numeric. I just read in a post yesterday that the
>SOX act isn't that specific concerning passwords. Could someone provide
>me with the specific guidelines for this or an internet connection where
>I can find out what is required concerning passwords. Any help that you
>can provide will be appreciated. Thank you.

Well, most of what I could find in a quick search refers to complying with
ISO 17799. I found some summaries in a compliance matrix here:
http://documents.iss.net/marketsolutions/SOXISO17799Brochure.pdf

It mentions:
Section A.9.3.1 - Password use - "Users shall be required to follow good
security practices in the selection and use of passwords."

Section A.9.2.3 - User password management - "The allocation of passwords
shall be controlled through a formal management process."

Section A.9.5.4 - Password management system - "Password management systems
shall provide an effective, interactive facility which aims to ensure
quality passwords."

It makes sense a general spec wouldn't spell it out, as best practices on
what's a good password will change. It is generally recommended to make
passwords alpha-numeric, as this makes them more difficult to crack.
However, I've also read (and agree) that it ignores the human factor, in
that if passwords are changed too frequently or made too difficult to
remember, users will tend to cause the system to fall down due to usability
issues - that is to say, they'll write it down on a post-it note attached
under their keyboard.

One suggestion that I recall reading, and like, is skipping the numeric /
non-alpha requirements, but making the password - or passphrase - a much
longer (say, 15 character) minimum length. This ups the possible
combinations to equal to or greater than a shorter alpha-numeric password,
but allows folks to pick a nonsense phrase they can remember without
writing it down - like "vacuumthoukitty". The weak point here is it's still
possible to focus cracking attempts by combining dictionary words, but the
possible combinations are large enough for current computer speeds, if I
remember the article correctly.

Michael Edwards
Blank & Associates P.S.  -  206.256.9699 x36
2001 Western Avenue, Suite 250  -  Seattle, Washington 98121

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2

LISTSERV.IGGURU.US