Slashdot Mirror
Creating Sane Password Policies?
Xenocide asks: "Occasionally, while using Windows here at work, my LAN account gets locked out for one reason or another (three tries and you're out). This requires me to contact our Help Desk and have the password reset. Now, because the server administration thought it was a good idea, old passwords cannot be used again. After talking with a Help Desk person, they said there was a large increase in password resets lately. It seems to me that if you make password policies too outrageous, users will find a way to circumvent the system. Not to mention that this increases support costs. I was wondering, what password policies do other companies use? Also, how do you convince the administrators to implement reasonable ones? "
a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the
external world, so that you can lift some of the password restrictions for local users.
I don't understand this response. The user's LAN should not be open to the Internet. accounts/passwods have existed in organisations for years before most orgs decided to connect to the Internet.
If there are segmented functions in an organisation and there are resources that can be used by some segments and not others, then you should think twice before relaxing your password regime. Even more so if you can't guarantee the physical security of your desktops at all times of the day.
Slashdot: Where nerds gather to pool their ignorance
There was an article in CACM about a year ago on this subject. (Might have been IEEE Computer: I sometimes confuse them.) The basic gist was that stricter policies (change frequency or obscurity quotients) lead people to write down passwords to keep from forgetting them, and this, of course, generates new problems.
My company has over a thousand users, each with at least one password. I believe that the policy your company has is fair.
Passwords are not a systems or technology issue. They are a management issue. As soon as that is understood and policies are put in place, the problem will go away.
Memorizing PasswordsWe recently looked into our password policies. There was much whining even among the technical folks about manditory password lengths of at least seven characters and changes every six months. The most common complaint was 'no one can remember seven mostly meaningless characters'.
To dispell such nonesense, ask such whiners their phone number. Then ask them what their phone number was at their last three places of residence. Ask them what their best friend's phone number is. Or their 12-digit bank account number. Of their third-grade teacher's name. Or Ken Griffy's batting average.
Folks are certainly able to memorize random bits of information. Anyone who can't memorize seven to ten characters for a period of six months will be fired. Period. Memorizing a password is part of our job requirements.
Password ResetsBut, some people do forget a password or lock themselves out. Then what?
We're a newspaper so most of our deadline work outside 'normal' business hours, between eight at night at two in the morning.
It used to be common for the computer room to get frantic calls from sports reporters who had locked themselves out on deadline.
Used to be.
If a person needs a password reset, he has to call his direct supervisor. That supervisor has to call the division head. The division head then has to call the computer room to get the account opened.
Not only does this better ensure that the caller is actually who he says he is, no one wants to wake his boss up at midnight on a Sunday. Further, once your boss has to wake up his boss at midnight on a Sunday, the chances are that you'll never forget your password again.
(Those that are repeat lusers often think it better to dictate the story over the phone and fix the problem the next day than to wake anyone up.)
InitZero
If I understand your post, you're saying that _every_ time a password need to be reset, the user needs to generate a completely new one?!? Rather than just having the admin unlock the account?!? That's totally nuts! I'm in the military, and even I can't think of a system so sensitive it would justify that level of lameness... it's _far_ more trouble than it's worth. A much simpler workaround, other than just having the user identify himself to the helpdesk & having the account unlocked, is to have the account lock _for a limited time_ after too many bad tries... 15 min. is good for a basic non-sensitive system; longer for more critical areas. This will quickly shoo away/highlight brute force crack attempts, which are the only thing your current policy really protects against in the first place. It will also lower your helpdesk calls noticeably...
I'm an SA at a large law enforcement agency. Among my responsibilities are the computers our officers use in the field. They carry large amounts of SBU (sensitive but unclassified, for those of you familiar with the protection classes used by us feds) data everywhere they go. After every three fumble-fingered attempts to log on results in a lock, I assign a valid password, do a passwd -f , hand-deliver the replacement and stand over them while they log on and change passwords. They view it as a royal PITA.
:-)
Good.
Since I started doing it this way, the number of forgotten passwords has dropped to zero and the screwed-up logons are mighty rare. Bad consequences for screwing up are a useful tool in convincing people not to screw up. Of course, I only have about 250 users to watch over. In a bigger organization, this level of personal service would be difficult. For my situation, though, this works fine. (It helps that I'm a former officer so I can get away with bullying my users like this.)
btw - We are a 100% SCO Unix shop (OS 5.0.4), from the servers to the laptops. There's not a hint of Windows anywhere on my network. And that's the way I like it.
I think that its hard to use sane password policies with products like l0phtcrack for download and long term use (if you don't mind using cracks).
As a system administrator would you like to know that some kid could come to his Dad's office and sniff network passwords? Technology is a dangerous thing and while I think L0phtcrack is great under certain conditions, it can be used to hurt people/buisnesses. Put yourself in a Sysadmin's shoes.
My Freakin Blog
The best password policy is to strictly enforce:
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
this is the reason i am happy beyond belief that biometric devices are below $100 now.
password policies are always a bone of contention, no matter what level of security you implement.
I personally think 3 tries before lockout is too few on a windows system, first, especially if you're dealing with windows 95/nt combinations, since you can have multiple, different passwords. throw in a connection to a legacy system, and it's chaos.
Also, reusing passwords shouldn't be set to a high value, but perhaps only to a 10 use value.
We required passwords to be changed once a month.*
The most important thing is to teach people how to create passwords that are long and sufficiently complex, yet follow a system that can be cycled through.
Example: you're a baseball fan. Use team names, and insert random numbers in the middle. i.e.:
atlanta58braves
and shorten as needed. Next month you can switch to the (hated) Yankees, for example.
We required 10 digits at least, with numbers. People freaked out at first, but once you showed them how to do it, we had fewer problems. Well, once we fixed a dll problem that wouldn't allow you to change both 95 and NT passwords simultaneously. But that's another issue...
* The worst disaster we ever had was when the power went out at our central office 5 minutes after we implemented the policy and 2 minutes after we sent out the email telling people how to do it. When their systems came up, they of course had to change their passwords, and boy howdy, that was NOT a fun day since most did it wrong, since this was pre-DLL fix.
stored on computers from birth to the grave
With a password policy like that, I have to ask: has your network been broken into lately? Do you work for a government contractor or something else that deals with sensitive data, like a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the external world, so that you can lift some of the password restrictions for local users.
If your network has been broken into lately, it sounds like an overall security audit is called for -- most of the time the problem is not that passwords aren't strong enough, but that vital services are vulnerable (holes in FTP or Web servers, for instance, or Sendmail improperly configured, or SMB over the internet). The problem could could also be that the users are not careful with their passwords -- you can have the strongest password policy in the world, but if Joe in Marketing keeps giving his password to his brother every time he changes it, you will continue to have problems.
If you are working for an organization that has sensitive data and resources to protect, there are many methods of authentication that don't require passwords -- someone already mentioned biometrics. I prefer using encrypted connections, such as SSH with key exchanges, where passwords are not send (passphrase are maintained on the local machine only and not sent over the network). Many of these are transparent to the user (though of course totally different to the machine, often requiring installation of specialized clients or other software).
Like what, actually remember their passwords?
Cthulhu for President!
(darren)