Currently the implementations within Active Directory, SAP and other systems and applications use a mismatched set of criteria. For example AD can except a special character as the first character of a password, but SAP can't. Given the number of systems and wanting to use a common Password Reset tool (which has its own quirky implementation) leads to adopting a Least Common Demoninator approach.
-
font size
decrease font size
increase font size
Does anyone know if there is an official standard (e.g. FIPS, ANSI, W3C. etc.) for what an application or directory service must provide in the way of password standards (e.g. length, composition, revocation, duration, etc.)? I'm looking for something that I can use in RFPs to vendors to get them all on the same page.
Read 4770 times
Published in
Technology First Blog
Paul Moorman
E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view itLatest from Paul Moorman
2 comments
-
Comment Link
Thursday, 17 December 2009 16:08
posted by
Paul Moorman
Excellent info, particularly the OWASP site. Thanks!
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
-
Comment Link
Thursday, 17 December 2009 12:26
posted by Michael Levy
The Open Web Application Security Project (OWASP) is a group that is dedicated to improving the security of web applications. (http://www.owasp.org/index.php/Main_Page) They have a page in their wiki dedicated to password complexity (http://www.owasp.org/index.php/Password_length_%26_complexity) Microsoft also has their password policy recommendation. This is the policy that Windows Server 2008 default to. You can find it at http://technet.microsoft.com/en-us/library/cc264456.aspx -Mike Michael Levy Microsoft Practice Director SDS Consulting
This e-mail address is being protected from spambots. You need JavaScript enabled to view it