Re: A doable frequent password change policy?

[krymson () gmail com]

A few things. First of all, lots and lots of less intelligent people than you are already under such policies, and 
don't seem to have too much of a problem with them, so I think you'll survive. :) It is accepted that most people will 
do the bare minimum to get past a password policy, such as leaving the last digit of a password a number and just 
incrementing it each month. You'll have to assume that every password on your network is infinite if you don't have a 
policy that changes them. I mean, that's the only level of security you can guarantee, no?

Second, what compliance do you have to meet? The regs of that compliance may be your answer, no matter what your users 
thinks. :)

I think password shifting every 60 days and effectively not keeping history (for instance, inability to reuse the last 
200 passwords) seems to me to be an acceptable policy these days. True, you can still crack those hashes quickly, but 
we're talking about risk management in this case. Changing them is far better than infinite passwords, as even the act 
of changing them may expose failed attempts and thus unauthorized use.

For Cisco, is the information they are protecting really that important that they should enforce password changes? 
Honestly, while password changing and history enforcement are accepted with systems on a network under your control, I 
can't actually think of any websites I go to that have a similar policy. They have instead decided their internal 
workings (hash, database, encryption) is powerful enough, so they just protect against password guessing (one would 
hope!). But for a local network, can you ensure no one has pilfered your hashes at some point? Likewise, do you have a 
captive audience? If so, impose that policy if it means your users have a more protected network and thus a more 
protected income and life! (Websites might turn off some users with stringent password policies, meaning they don't 
have a captive audience...blah blah blah)


<- snip ->
Yes I am aware of the importance of advising users on changing their 
passwords frequently, be it their AD passwords or passwords on other 
independent applications (ERP) etc.

But I don't want to enforce a policy that comes crashing down. I 
personally, cannot keep changing my password every month making sure that 
it differs from the last two in history (at least).

Even Cisco on it's CCO account only makes it's users aware that their 
password hasn't been changed for quite some time and giving them an option 
of either changing it or just do a 'No Thanks' option and carry on with 
their old password. This sounds like a doable compliance to me.

Your thoughts??