I wish to stir up a password policy debate and it was suggested that
this was the place to do so. I have looked around for best practices for
password policies. I see more and more articles saying that you should
increase the complexity of the passwords and make it so that users donÂt
change their passwords as often. I understand and see the logic
purported by some that a strong password should not need to be changed
as often. Some of the logic goes that people who one, hate passwords and
two, have to change them often will come up with a scheme that fits the
policy but is easily predictable. For instance we have found out that a
large percentage use month and year as their password.
What I donÂt see in the debate is the user expectation that they can
connect with any device from any location and access corporate data and
how that should effect password complexity and the change of password
frequency.
Let me give you a for instance. For us, users without remote access have
the same complexity requirements but only change their password every
120 days. Users with remote access change passwords every 40 days.
The logic in this is that if they attempt access from a compromised
platform, say a computer in a hotelÂs business center that has had a key
logger placed on it (or even a home computer where the kids have done
who knows what and been who knows where on the Internet), the password
that they use is then compromised but there is a limited time the
password is good for. Our VPN remote access does check for anti-virus
being up to date, a scan run in the last 30 days and so forth, but it
checks those things only after the credentials are presented, thus the
password is compromised. Remote access for things like Novell Filr,
GroupWise web access do not have the Âsecurity checks the VPN does and
make reinforce the logic listed above.
The battle I am fighting is one where the powers that be feel that 40
days is too short and we should go to 180 days or possibly never
expiring a password.
What is the prevailing thoughts in your organization regarding passwords
in general and has any thought been put into how remote access effects
this policy?
What is the prevailing thoughts in your organization regarding
passwords in general and has any thought been put into how remote
access effects this policy?[/color]
So my response to DanW’s comment is…
We have it set up where users need to change their password every 90
days, with these ‘complexity’ conditions set:
Need 3 of the 4 conditions in their password:
a. lowercase letters
b. uppercase letters
c. numbers (not to exceed more than 4 in their password)
-This to keep them from using their phone number, mo-day-yr, etc
d. special characters
Cannot have neither first nor last name in their password (something
like 4 consecutive characters of it anyway)
Have at least 3 passwords before they can repeat any passwords.
(This is not real secure I know, but many of our users are [L]users)
We are looking at different types of remote access, and we have been
kicking around the idea of remote/mobile users needing two form
authentication, whereas the non mobile users only need one.
How’s that for a bold, pot-stirring statement for a debate?
On Wed, 08 Apr 2015 22:24:13 +0000, Stevo wrote:
[color=blue]
We are looking at different types of remote access, and we have been
kicking around the idea of remote/mobile users needing two form
authentication, whereas the non mobile users only need one.[/color]
This is where I see things going, passwordless login is I think where the
industry is heading.
The battle I am fighting is one where the powers that be feel that 40
days is too short and we should go to 180 days or possibly never
expiring a password.[/color]
Does not sound like a good idea, unless augmented by an extra
measure,such as RSA key or Mobile.
–
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)
Just to throw a spanner in the works… regardless of your password
policy you also need to “strongly” protect users against social
engineering and phishing or spear phishing attacks. It is my opinion
that these have been the greatest cause of compromised passwords.
Cheers,
–
Laura Buckley
Technical Consultant
IT Dynamics, South Africa
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below…
Thanks so much for the comments. I especially enjoyed the “[L]users”
(LOL). I think the makeup of the password and second factor are
relevant and helpful.
Now how about “password age” of how long a password is good for?
