Password policy

[jadams]

Hey guys, been awhile since I've posted.

Can you guys share your password policies? Age/complexity requirements? Different settings for different departments/groups, especially those departments/groups that handle sensitive customer and employee information?

Thanks!

 

[Moogoos]

8 chars, atleast a cap, number and special char. Mandatory change every 3 months.

 

[shade91]

8 chars, atleast a cap, number and special char. Mandatory change every 3 months.

That will cause a lot of stickies. I always show our auditors a screencap of something this complex and just revert to something easier that won't cause my users to hiding their password on a sticky on their monitor, under their keyboard, in a file cabinet drawer that is unlocked or behind the calendar that is on the wall of their cubical.

 

[Moogoos]

That will cause a lot of stickies. I always show our auditors a screencap of something this complex and just revert to something easier that won't cause my users to hiding their password on a sticky on their monitor, under their keyboard, in a file cabinet drawer that is unlocked or behind the calendar that is on the wall of their cubical.

There's give and take. It all depends how secure you want to be. Support the use of 1password for password management or something like KeePass and have a good talking to to the people that have leave stickies around. There should be a policy in place that they should adhere too.

 

[MekoSuka]

That will cause a lot of stickies. I always show our auditors a screencap of something this complex and just revert to something easier that won't cause my users to hiding their password on a sticky on their monitor, under their keyboard, in a file cabinet drawer that is unlocked or behind the calendar that is on the wall of their cubical.

Self Service Portals can help with curbing this behavior. Offering an option which doesn't require them to constantly get IT involved is something many users will accept as a happy balance. So does enforcement of company usage and password policies.

I realize there are always people who are problematic, but for the most part, people should be able to remember the same password they use day-in-day-out. I mean, this isn't an uncommon request (8 characters with complexity)

 

[m1abram]

There's give and take. It all depends how secure you want to be. Support the use of 1password for password management or something like KeePass and have a good talking to to the people that have leave stickies around. There should be a policy in place that they should adhere too.

Password managers do not help much for logging into the workstation unless all of your users have a smartphone.

I agree overly complex password requirements WITH short lifespan does not increase your security one bit. The whole short lifespan of a password is just plain stupid and is the biggest culprit of sticky note passwords. A normal user can come up with a small handful of complex passwords that they can actually commit to memory, but make them change that every 3 months and forget about it. They will write that shit down I dont care what your corporate policy states about such acts .

 

[NoOther]

Most official policies are moving to this:

Change password every 3 months. Can't be the same as the last 15 passwords you used. Cannnot contain a dictionary word. Complexity:

A minimum of 15 characters
Include at least one uppercase alphabetic character
Include at least one lowercase alphabetic character
Include at least one non-alphanumeric (special) character

Password managers do not help much for logging into the workstation unless all of your users have a smartphone.

I agree overly complex password requirements WITH short lifespan does not increase your security one bit. The whole short lifespan of a password is just plain stupid and is the biggest culprit of sticky note passwords. A normal user can come up with a small handful of complex passwords that they can actually commit to memory, but make them change that every 3 months and forget about it. They will write that shit down I dont care what your corporate policy states about such acts .

I agree to an extent. One, you absolutely should change your password at least every 3 months. However, I don't agree with them forcing you to remember 15+ passwords. They could change the password history to 5 or 6 rather than 15. The problem is when you have over a dozen systems with different applications and the systems and applications all have different passwords that have to be changed regularly...now that is pain. Also password length is far more important than password complexity.

In any case a lot of companies are also moving to more devices like smart cards with PKI chips for encryption and identification. There are also some other new means of identification and verification coming out that should help a lot. I would imagine login/password combos will gradually get phased out in favor of other methods.

 

[Moogoos]

Password managers do not help much for logging into the workstation unless all of your users have a smartphone.

oh yeah. forgot we're talking about enforcing corporate accounts most likely, not web email or 3rd party stuff, web apps.

And you're right. I have 3 primary passwords that are pretty cryptic and committed to memory. If you can ensure a policy in the beginning that has some complexity and dump the 3 month cycle or extend it to a year that seems reasonable.

 

[m1abram]

Change password every 3 months. Can't be the same as the last 15 passwords you used. Cannnot contain a dictionary word. Complexity:

A minimum of 15 characters
Include at least one uppercase alphabetic character
Include at least one lowercase alphabetic character
Include at least one non-alphanumeric (special) character

Pretty sure everyone one of your uber-secure passwords is on a post-it under every mouse pad!

 

[MrGuvernment]

most people here will simply change 1 or 2 characters every 3 months.

It isnt that hard, the main issue is most people forget a space is considered a special character so use a sentence or a song lyric

I Hate Changing My Password Every 3 months

There, covered the bases.

 

[/usr/home]

Personally, I just use a number in my password and just keep incrementing it or I go into AD and reset it to what it currently is after the 3 month mark.

 

[Hawkbox]

most people here will simply change 1 or 2 characters every 3 months.

It isnt that hard, the main issue is most people forget a space is considered a special character so use a sentence or a song lyric

I Hate Changing My Password Every 3 months

There, covered the bases.

And then you can use I Hate Changing My Password Every 3 months1 and then I Hate Changing My Password Every 3 months2.

 

[Phog]

Nothing infuriates me more than an expired password.

 

[m1abram]

Personally, I just use a number in my password and just keep incrementing it or I go into AD and reset it to what it currently is after the 3 month mark.

Well the fun systems prevent you from doing this as well.

 

[Red Squirrel]

Complex passwords are ok, but get rid of the expiry crap. It serves zero purpose. Instead, implement brute force protection on ALL systems that have a password, and make it share the same password from the same database. At this point the password requirement can be like 10 letters, but if it does not expire all the time and there is only one of them to remember it is much better than having 40 different smaller passwords that expire every couple weeks/months out of sync.

The funniest thing about passwords that expire is most people just put a number after. I'm at 30. I can probably roll back to 0 soon. There is zero point to expiring passwords. If someone is trying to brute force it, there is no guarantee that when you change it you will pick a password that has not already been tried.

 

[uOpt]

[nm]

 

[NoOther]

Pretty sure everyone one of your uber-secure passwords is on a post-it under every mouse pad!

Incorrect, nor do I use a password locker. I simply remember them using one of numerous easy to learn memory systems. But thanks for playing! Your insightful comment has really zinged me. Especially since what I just listed is a standard policy and has nothing to do with me personally.

 

[NoOther]

Complex passwords are ok, but get rid of the expiry crap. It serves zero purpose. Instead, implement brute force protection on ALL systems that have a password, and make it share the same password from the same database. At this point the password requirement can be like 10 letters, but if it does not expire all the time and there is only one of them to remember it is much better than having 40 different smaller passwords that expire every couple weeks/months out of sync.

The funniest thing about passwords that expire is most people just put a number after. I'm at 30. I can probably roll back to 0 soon. There is zero point to expiring passwords. If someone is trying to brute force it, there is no guarantee that when you change it you will pick a password that has not already been tried.

That is not very good security at all. The reason for rotating passwords is to help mitigate compromised accounts. If someone figures out a password, and no one catches on, they have a shorter period of time to abuse it.

Also no matter how short or long the password is, you are still going to have people using sticky notes. So really the sticky note excuse is a poor one. Most people I have met in the industry with long complex passwords remember them and they use similar schemes for other passwords that follow patterns they remember. I see a lot less people writing down passwords today.

Also there are a number of programs people can use to store their passwords in encrypted bins to help them remember rather than using sticky notes. Of course, if one were to find a way to break into that bin, they would have access to all their passwords. But certainly far more secure than sticky notes.

 

[squishy]

NoOther has this right.

This has been debated for 20+ years.

What it comes down to is what data and apps the person has access to and if they have external access. If they have no external, I'm much more lenient. You should have provisions in place internally that mitigate the risks. The password and account play a very small part.

Externally, you must be much more diligent.

If they have external access (VPN, SSH, etc). scrutinize the shit out of their passwords and activity. Make them change their passwords, watch wtf they are doing. Read-only log everything.

If they only have internal access, make them rotate reasonable passwords.Audit everything. Help them make complex but easy to remember passwords (famous movie quotes with special chars come to mind).

It's a difficult process to balance.

 

[m1abram]

Rotating a password does little to protect against a compromised account. Even as short as 3 months gives the attacker on avg. 1.5 months to do whatever they want. And here is the kicker if they have the password and since most people use the SAME essential password when they are required to reset it, it is trivial for the attacker to get the new password.

EDIT: if you are concerned about security, 2-factor is a much better way to go.

 

[shade91]

Self Service Portals can help with curbing this behavior. Offering an option which doesn't require them to constantly get IT involved is something many users will accept as a happy balance. So does enforcement of company usage and password policies.

I realize there are always people who are problematic, but for the most part, people should be able to remember the same password they use day-in-day-out. I mean, this isn't an uncommon request (8 characters with complexity)

Indeed however at some of my locations this is totally unavoidable. I have high caliber users at several sites and very low calibers (folks who can barely muster basic usage in MS Office) that cause the majority of workload for my engineers. Doing this cuts back on their work. Auditors never talk to endusers so there's no risk of exposure on this.

 

[obrith]

A minimum of 15 characters
Include at least one uppercase alphabetic character
Include at least one lowercase alphabetic character
Include at least one non-alphanumeric (special) character

We use this on a 6 month rotation. We're working toward 2-factor auth everywhere so we can drop the 15 character requirement and bring it back down to a more sane 7-8 characters.

Unfortunately our hand was forced on the 15-character requirement as a stop gap (LM-hash issues that still exist are horrifying in an environment like mine with WAY too many users with [local] admin).

Frankly for most of my network I'd rather have the sticky notes (the buildings are pretty secure) than insecure passwords. My risk of a cyber attack is a lot higher than an insider attack IMO.

 

[Dogs]

I really only make sure my password is long enough to be safe from dictionary attacks against the hashing I'd like to think companies I have accounts with use on their user databases.

 

[NoOther]

Rotating a password does little to protect against a compromised account. Even as short as 3 months gives the attacker on avg. 1.5 months to do whatever they want. And here is the kicker if they have the password and since most people use the SAME essential password when they are required to reset it, it is trivial for the attacker to get the new password.

An attacker, sure. But someone who is consistently stealing information? Yeah, you want to rotate passwords to plug holes. Not to mention for people who leave the company. Remember these aren't just user passwords, but passwords for various admin accounts, databases, servers, services, etc. There are many things that go into thinking about and creating a password policy. Most of these policies are in place to cover a multitude of situations.

EDIT: if you are concerned about security, 2-factor is a much better way to go.

I like how you try to argue with me, then you basically say the same thing I said. Good job there buddy, way to keep up.

 

[NoOther]

We use this on a 6 month rotation. We're working toward 2-factor auth everywhere so we can drop the 15 character requirement and bring it back down to a more sane 7-8 characters.

Unfortunately our hand was forced on the 15-character requirement as a stop gap (LM-hash issues that still exist are horrifying in an environment like mine with WAY too many users with [local] admin).

Frankly for most of my network I'd rather have the sticky notes (the buildings are pretty secure) than insecure passwords. My risk of a cyber attack is a lot higher than an insider attack IMO.

Depending on the method of 2 factor you use, there is no real reason to change the password policy, since the password most likely will never be used. And you will want that policy in place for accounts that will not have 2-factor auth. Most of the companies I work with are currently using some form of 2 or 3 factor security right now.

Also, I think you may be surprised at the statistics regarding insider threats to outsider threats. Most companies find the risk of insider threats much greater. It can really depend on a number of factors though. You never quite know who you are working with or what their agenda might be, ie Snowden.

That said most of the departments I have worked in, the employees never used sticky notes. I mostly see a lot of that in the finance area and sometimes database admins.

 

[m1abram]

An attacker, sure. But someone who is consistently stealing information? Yeah, you want to rotate passwords to plug holes. Not to mention for people who leave the company. Remember these aren't just user passwords, but passwords for various admin accounts, databases, servers, services, etc. There are many things that go into thinking about and creating a password policy. Most of these policies are in place to cover a multitude of situations.



I like how you try to argue with me, then you basically say the same thing I said. Good job there buddy, way to keep up.

You should never share accounts. No one should log in as root or admin. None user accounts, services and such should not have a login so password is not needed.

 

[m1abram]

An attacker, sure. But someone who is consistently stealing information? Yeah, you want to rotate passwords to plug holes. Not to mention for people who leave the company. Remember these aren't just user passwords, but passwords for various admin accounts, databases, servers, services, etc. There are many things that go into thinking about and creating a password policy. Most of these policies are in place to cover a multitude of situations.



I like how you try to argue with me, then you basically say the same thing I said. Good job there buddy, way to keep up.

I am not saying the same thing. Password expiring does not solve the issues. 2 factor does.

 

[NoOther]

I am not saying the same thing. Password expiring does not solve the issues. 2 factor does.

Pretty much the first thing I said was companies were moving to 2 factor and better methods over passwords.

You should never share accounts. No one should log in as root or admin. None user accounts, services and such should not have a login so password is not needed.

Unfortunately there are still many reasons for shared accounts. And it is not so much a shared account as it is the only account for a system or service. Typically you would use a system that would allow a user account to have access to elevated permissions to perform the necessary functions, but some systems you don't have that option. There are also risks in allowing access from AD to devices which normally would allow users to use their own accounts to login. There are many reasons why there are still circumstances out there which have single accounts.

 

[MrGuvernment]

Curious, what 2 factor solutions are available for a windows based AD?

 

[NoOther]

Curious, what 2 factor solutions are available for a windows based AD?

Tons. Most of the places I have worked for generally use PKI cards with pins. But there are actually lots of options for 2 or even 3 factor auth with AD. You can use biometrics, patterns, token based, etc.

 

[m1abram]

Tons. Most of the places I have worked for generally use PKI cards with pins. But there are actually lots of options for 2 or even 3 factor auth with AD. You can use biometrics, patterns, token based, etc.

Smartcards (basically pki) is a popular option.

 

[Eiolon]

No real requirements. We audit user activity and permissions on a real-time basis. I'm pretty sure the NSA doesn't even do that

 

[Hawkbox]

Incorrect, nor do I use a password locker. I simply remember them using one of numerous easy to learn memory systems. But thanks for playing! Your insightful comment has really zinged me. Especially since what I just listed is a standard policy and has nothing to do with me personally.

So your being a corner case means we should apply it to all users?

 

[NoOther]

So your being a corner case means we should apply it to all users?

Care to explain or are you just trolling for the sake of trolling?

 

[Hawkbox]

Care to explain or are you just trolling for the sake of trolling?

Wait, you're calling me a troll?

Forget it, it's not worth answering.

 

[NoOther]

Wait, you're calling me a troll?

Forget it, it's not worth answering.

Yes, considering you had nothing to say about the actual topic and your post was entirely about me personally. By definition, trolling. You had nothing insightful to say or add, and you refused to explain yourself as well.

If you care to say something that has any meaning and can add value to the actual topic, then please do so.