Slashdot Mirror

← Back to Stories (view on slashdot.org)

Creating Sane Password Policies?

Posted by Cliff on from the keeping-good-security-from-becoming-a-nuisance dept.

Xenocide asks: "Occasionally, while using Windows here at work, my LAN account gets locked out for one reason or another (three tries and you're out). This requires me to contact our Help Desk and have the password reset. Now, because the server administration thought it was a good idea, old passwords cannot be used again. After talking with a Help Desk person, they said there was a large increase in password resets lately. It seems to me that if you make password policies too outrageous, users will find a way to circumvent the system. Not to mention that this increases support costs. I was wondering, what password policies do other companies use? Also, how do you convince the administrators to implement reasonable ones? "

1 of 11 comments (clear)

  1. Alternatives (circumventing the system?) by dlc · · Score: 3

    With a password policy like that, I have to ask: has your network been broken into lately? Do you work for a government contractor or something else that deals with sensitive data, like a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the external world, so that you can lift some of the password restrictions for local users.

    If your network has been broken into lately, it sounds like an overall security audit is called for -- most of the time the problem is not that passwords aren't strong enough, but that vital services are vulnerable (holes in FTP or Web servers, for instance, or Sendmail improperly configured, or SMB over the internet). The problem could could also be that the users are not careful with their passwords -- you can have the strongest password policy in the world, but if Joe in Marketing keeps giving his password to his brother every time he changes it, you will continue to have problems.

    If you are working for an organization that has sensitive data and resources to protect, there are many methods of authentication that don't require passwords -- someone already mentioned biometrics. I prefer using encrypted connections, such as SSH with key exchanges, where passwords are not send (passphrase are maintained on the local machine only and not sent over the network). Many of these are transparent to the user (though of course totally different to the machine, often requiring installation of specialized clients or other software).

    • It seems to me that if you make password policies too outrageous, users will find a way to circumvent the system

    Like what, actually remember their passwords?


    Cthulhu for President!
    --
    (darren)