Synchronizing Forced Password Changes?

aroobie asks: "I have several different types of servers running at my small office including Windows 2000 Advanced Server, VMS, IRIX, and Linux. My corporate parent wants to force passwords to change every 90 days, which is a good thing, but once a user changes his/her Windows password access to the other servers is denied until I make appropriate changes on the non-Windows servers. Sort of defeats the purpose of changing the password since each users has to give me their new password to make them match on on the servers. Has anyone found a way to synchronize passwords on different systems? Is there software available to do this?"

not so simple

[NotInTheBox]

At the university we sometime need it the other way around... linux password has to be converted to Windows passwords.

It works like this: the program asks for you password, which it then validates/authenicates
with the yppasswordd if approved (this means that the string just typed is indeed the one and only true password) it asks a windowsNT box to associate know username to new password.

Don't know if this could also be done in reverse however. Platform independant accounts would be a great plus. Anyone else having a idear?

Password changing is ignorant

[Eagle7]

I don't know why people harp on about changing your password as a matter of policy. In my experience, this just means that employees will find the simplest system that satisfies the hueristics, and end up with insecure passwords - such as j0e01, 02j0e, j030e, j004e, j0e05, etc - since coming up with f$6hq7# and remembering it every 90 days is a PITA. So your policy makes someone who *would* choose a secure password choose insecure ones becuase they don't want to keep switchng. (or worse, they write them down!!!)

On the other hand, you could educate employees on the benefits of secure passwords, tell them that as long as the pick a secure password, never share it, and never write it down, they can keep it. Yeah, some people will break the rules - but they'll have insecure passwords under any circumstances. But the folks who actually try will end up more secure.

After all... as long as I protect its use and don't share it or record it, f$6hq7# is as secure in a year as it was the day I defined it.

Re:Password changing is ignorant

[perljon]

Some how, 30 days after you set the password to f$6hq7#, it was compromised. Even though it was a great password, I grabbed the /etc/passwd file and brute forced it, or I sniffed your password when you used telnet instead of ssh, I looked in through a window and a telescope and watched your fingers, I put a keyboard sniffer on your keyboard, I used high-tech equipment to detect the electrical impulses from the key, or I even watched you type it in (after all, it takes a little longer since you are a pecker instead of a typer.) Long story short, I grabbed your password. If you have passwords reset every 90 days, I have only compromised your password for 60 days instead of a year.

The trick is educating your users on how to create good passwords from pass phrases. ie, I like to buy expensive high tech toys becomes IlTbEhTt Now, do some number replacements for for Capital letters, you make the rules, but make your own. I will replace capital I's with 1's and Capital E's with 3's in this example. 1lTb3hTt What we come up with is an easily remembered password because you know the pass phrase and you know the algoryhtm you used to create the password. (took my last sentence, took the first letter, replaced I's with 1's, E's with 3's, o's with 0's.)

Re:Password changing is ignorant

[perljon]

Security is like an onion. On the outside layer, everyone who walks into the office can log onto a computer and do whatever he wants using the publicly posted password. This is a trush system, and although very insecure is the cheapest solution. Peel the layer, and you introduce a private username and password that only those on the inside know. Peel a layer, and everyone gets there own username/password. Peel a layer, and everyone gets there own hard to guess/hard to crack password. Peel a layer, and everyone gets a hard to guess/hard to crack changing every 90 days password.

Also, at each layer you introduce stuff like encryption, good physical security, regular auditing, etc. etc. etc. With each layer, you pay a little more money, at least in administration costs and complexity.

To my point, is changing your password every 90 days going to fix all security problems? No... However, it is a cheaper solution to implement than it is to crack, so it's a no brainer to implement the policy.

But I agree, if you don't do good in other arenas, there is little hope. In a secure environment, regular audits are done. Hopefully, backdoors and open telnet ports are found and fixed. Then when the password is changed or the patch is applied that doesn't allow a cracker to use an exploit to gain the passwd file, you've effectively locked out the cracker.

It's not the end-all be-all security solution, but combined with other security techniques it is affective for a small cost.