On Monday 03 July 2006 17:51, STeve Andre' wrote:
> On Monday 03 July 2006 17:37, Jeff Simmons wrote:
> > A client is setting up a password policy, and would like to prevent users
> > from reusing a password for a period of time (four changes ninety days
> > apart). Is there a way to do this, either within the OS or via a program
> > in ports? I've been looking for quite a while and haven't found anything.
>
> I can't resist pointing out that this is an AWFUL policy. You will be
> remembering peoples passwords, a history of them, which are
> very likely to be used on other systems. Thats really bad. I wonder
> (at least in the USA) what would happen to your company if that
> data was ever stolen?
>
> --STeve Andre'
As I mentioned in another post, these are requirements imposed by various
security auditing firms. So from the company's (and my) standpoint, we've got
some coverage, since we were required to retain the data.
In general, I agree with most of what I've seen from these firms. I do
question the basic assumptions, since if I have an audit preparation
document, I've already got a pretty good basic blueprint of a certified
firm's security setup and policies. And some of the policies I personally
disagree with. But overall, it's probably a Good Thing (c), it's getting a
lot of firms to improve what up till now have been weak 'security'
arrangements.
An employee of one of these firms claimed that no company that had passed one
of their audits had ever been compromised. This will, of course, change. And
the result will be modifications to the required security policies. After
all, security isn't rocket science, it's chess.
I might also add that all of the auditing firms I've dealt with look with
favor on the deployment of OpenBSD as opposed to some other OSs.
--
Jeff Simmons [EMAIL PROTECTED]
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
--My Life With The Thrill Kill Kult
