RE: AD and enforced password policies

["Jones, Barry" <BEJones () semprautilities com>]

'Either way, expiring often is the first and most effective step at making the lusers hate you and will only bring the 
Post-It(tm) makers happy.'


If you want to make them really, really unhappy, implement a rotating user ID coupled with an often expiring password 
policy. For example, User ID jjones1, jjones2, jjones3, jjones4 (for winter, summer, fall, spring). Works with clothing 
choices, but angers user communities... :-)
 

-----Original Message-----
From: Steven Bellovin [mailto:smb () cs columbia edu] 
Sent: Tuesday, January 03, 2012 5:41 AM
To: Greg Ihnen
Cc: Nanog () nanog org
Subject: Re: AD and enforced password policies


On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote:

> On Jan 3, 2012, at 4:14 AM, Måns Nilsson wrote:
>
> > Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch 
> > (blake () pfankuch me):
> >
> > > However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented 
> > > network.  
> >
> > If you force me to change a password every three months, I'm going to 
> > start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, 
> > you lose.
> >
> > Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 
> > etc, and we're all doomed, or they will be lucky and guess. None of 
> > these attack modes will be mitigated by the 3-month scheme; 
> > success/fail as seen by the bad guys will be a lot quicker than three 
> > months. If they do not get lucky with john or rainbow tables, they'll move on.
> >
> > (Some scenarios still are affected by this, of course, but there is a 
> > lot to be done to stop bad things from happening like not getting 
> > your hashes stolen etc. On-line repeated login failures aren't going 
> > to work because you'll detect that, right? )
> >
> > Either way, expiring often is the first and most effective step at 
> > making the lusers hate you and will only bring the Post-It(tm) makers happy.
> >
> > If your password crypto is NSA KW-26 or similar, OTOH, just don the 
> > Navy blues and start swapping punchcards at 0000 ZULU.
> >      (http://en.wikipedia.org/wiki/File:Kw-26.jpg)
> >
> > -- 
> > Måns Nilsson     primary/secondary/besserwisser/machina
> > MN-1334-RIPE                             +46 705 989668
> > Life is a POPULARITY CONTEST!  I'm REFRESHINGLY CANDID!!
>
>
> A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course 
> fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing 
> at fuzzykittens? All those passwords.  I use and recommend and use a popular password manager, so I can have unique 
> strong passwords without making a religion out of it.

It's not a side issue; in my opinion it's a far more important issue in most situations.  I do the same thing that you 
do for all but my most critical passwords.



                --Steve Bellovin, https://www.cs.columbia.edu/~smb