Re: A doable frequent password change policy?

[gjgowey () tmo blackberry net]

Don't forget the most weakness of any password system: users writing down their password on a postit note and putting 
it on their monitor or keyboard.  It's funny when I mention this to clients and then all of a sudden they realize why 
everyone has a postit note on their monitor or keyboard x< (doh!)

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: krymson () gmail com

Date: 2 Jul 2007 19:33:19 
To:security-basics () securityfocus com
Subject: Re: A doable frequent password change policy?


A few things. First of all, lots and lots of less intelligent people than you are already under such policies, and 
don't seem to have too much of a problem with them, so I think you'll survive. :) It is accepted that most people will 
do the bare minimum to get past a password policy, such as leaving the last digit of a password a number and just 
incrementing it each month. You'll have to assume that every password on your network is infinite if you don't have a 
policy that changes them. I mean, that's the only level of security you can guarantee, no?


Second, what compliance do you have to meet? The regs of that compliance may be your answer, no matter what your users 
thinks. :)


I think password shifting every 60 days and effectively not keeping history (for instance, inability to reuse the last 
200 passwords) seems to me to be an acceptable policy these days. True, you can still crack those hashes quickly, but 
we're talking about risk management in this case. Changing them is far better than infinite passwords, as even the act 
of changing them may expose failed attempts and thus unauthorized use.


For Cisco, is the information they are protecting really that important that they should enforce password changes? 
Honestly, while password changing and history enforcement are accepted with systems on a network under your control, I 
can't actually think of any websites I go to that have a similar policy. They have instead decided their internal 
workings (hash, database, encryption) is powerful enough, so they just protect against password guessing (one would 
hope!). But for a local network, can you ensure no one has pilfered your hashes at some point? Likewise, do you have a 
captive audience? If so, impose that policy if it means your users have a more protected network and thus a more 
protected income and life! (Websites might turn off some users with stringent password policies, meaning they don't 
have a captive audience...blah blah blah)



<- snip ->

Yes I am aware of the importance of advising users on changing their

passwords frequently, be it their AD passwords or passwords on other

independent applications (ERP) etc.


But I don't want to enforce a policy that comes crashing down. I

personally, cannot keep changing my password every month making sure that

it differs from the last two in history (at least).


Even Cisco on it's CCO account only makes it's users aware that their

password hasn't been changed for quite some time and giving them an option

of either changing it or just do a 'No Thanks' option and carry on with

their old password. This sounds like a doable compliance to me.


Your thoughts??