Security Basics mailing list archives
Re: A doable frequent password change policy?
From: gjgowey () tmo blackberry net
Date: Tue, 3 Jul 2007 20:10:23 +0000
Don't forget the most weakness of any password system: users writing down their password on a postit note and putting it on their monitor or keyboard. It's funny when I mention this to clients and then all of a sudden they realize why everyone has a postit note on their monitor or keyboard x< (doh!) Geoff Sent from my BlackBerry wireless handheld. -----Original Message----- From: krymson () gmail com Date: 2 Jul 2007 19:33:19 To:security-basics () securityfocus com Subject: Re: A doable frequent password change policy? A few things. First of all, lots and lots of less intelligent people than you are already under such policies, and don't seem to have too much of a problem with them, so I think you'll survive. :) It is accepted that most people will do the bare minimum to get past a password policy, such as leaving the last digit of a password a number and just incrementing it each month. You'll have to assume that every password on your network is infinite if you don't have a policy that changes them. I mean, that's the only level of security you can guarantee, no? Second, what compliance do you have to meet? The regs of that compliance may be your answer, no matter what your users thinks. :) I think password shifting every 60 days and effectively not keeping history (for instance, inability to reuse the last 200 passwords) seems to me to be an acceptable policy these days. True, you can still crack those hashes quickly, but we're talking about risk management in this case. Changing them is far better than infinite passwords, as even the act of changing them may expose failed attempts and thus unauthorized use. For Cisco, is the information they are protecting really that important that they should enforce password changes? Honestly, while password changing and history enforcement are accepted with systems on a network under your control, I can't actually think of any websites I go to that have a similar policy. They have instead decided their internal workings (hash, database, encryption) is powerful enough, so they just protect against password guessing (one would hope!). But for a local network, can you ensure no one has pilfered your hashes at some point? Likewise, do you have a captive audience? If so, impose that policy if it means your users have a more protected network and thus a more protected income and life! (Websites might turn off some users with stringent password policies, meaning they don't have a captive audience...blah blah blah) <- snip -> Yes I am aware of the importance of advising users on changing their passwords frequently, be it their AD passwords or passwords on other independent applications (ERP) etc. But I don't want to enforce a policy that comes crashing down. I personally, cannot keep changing my password every month making sure that it differs from the last two in history (at least). Even Cisco on it's CCO account only makes it's users aware that their password hasn't been changed for quite some time and giving them an option of either changing it or just do a 'No Thanks' option and carry on with their old password. This sounds like a doable compliance to me. Your thoughts??
Current thread:
- RE: A doable frequent password change policy? Craig Wright (Jul 02)
- <Possible follow-ups>
- Re: A doable frequent password change policy? krymson (Jul 03)
- Re: A doable frequent password change policy? gjgowey (Jul 04)
- RE: A doable frequent password change policy? Largacha Lamela, Daniel (Jul 05)
- Re: A doable frequent password change policy? gjgowey (Jul 04)
- Re: A doable frequent password change policy? mpalmer (Jul 06)