[24677] in bugtraq
Re: Windows 2000 password policy bypass possibility
daemon@ATHENA.MIT.EDU (Anthony DeRobertis)
Wed Mar 13 21:45:05 2002
Date: Tue, 12 Mar 2002 07:51:46 -0500
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v481)
Cc: "'Leonid Mamtchenkov'" <leonid@francoudi.com>, bugtraq@securityfocus.com
To: "Bradley, Tony" <tony.bradley@eds.com>
From: Anthony DeRobertis <asd@suespammers.org>
In-Reply-To: <7FD257BF8564D4119DA800508BDF07AA03799E68@usahm012.exmi01.exch.eds.com>
Message-Id: <E980C296-35B7-11D6-BC28-00039355CFA6@suespammers.org>
Content-Transfer-Encoding: 7bit
On Friday, March 8, 2002, at 06:33 PM, Bradley, Tony wrote:
> To combat this you also need to set a minimum password age in
> your policy.
> If you set the minimum password age to 1 month they will not be able to
> reset their password for at least 1 month each time and then
> you guarantee
> that it will be 18 months until they can re-use the old password again.
Of course, if a user happens to find out or suspect his password
is compromised, then he can't change it, either.
Cycling through 18 passwords take a fair amount of effort. Even
more if you set the minimum to something like ten minutes. But
at least ten minutes probably doesn't get in the way of users
who need to change their password because they lost the slip of
paper they wrote it down on.
Also, remember, the more often you make people change their
passwords, the more likely they are to start writing them down.
And the more valuable the stored password history is likely to
become.
