Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Technology

Creating Sane Password Policies? 11

Posted by Cliff from the keeping-good-security-from-becoming-a-nuisance dept.
Xenocide asks: "Occasionally, while using Windows here at work, my LAN account gets locked out for one reason or another (three tries and you're out). This requires me to contact our Help Desk and have the password reset. Now, because the server administration thought it was a good idea, old passwords cannot be used again. After talking with a Help Desk person, they said there was a large increase in password resets lately. It seems to me that if you make password policies too outrageous, users will find a way to circumvent the system. Not to mention that this increases support costs. I was wondering, what password policies do other companies use? Also, how do you convince the administrators to implement reasonable ones? "
This discussion has been archived. No new comments can be posted.

Creating Sane Password Policies? More

Creating Sane Password Policies?

Comments Filter:
  • With a password policy like that, I have to ask: has your network been broken into lately? Do you work for a government contractor or something else that deals with sensitive data, like
    a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the
    external world, so that you can lift some of the password restrictions for local users.

    I don't understand this response. The user's LAN should not be open to the Internet. accounts/passwods have existed in organisations for years before most orgs decided to connect to the Internet.

    If there are segmented functions in an organisation and there are resources that can be used by some segments and not others, then you should think twice before relaxing your password regime. Even more so if you can't guarantee the physical security of your desktops at all times of the day.

  • There was an article in CACM about a year ago on this subject. (Might have been IEEE Computer: I sometimes confuse them.) The basic gist was that stricter policies (change frequency or obscurity quotients) lead people to write down passwords to keep from forgetting them, and this, of course, generates new problems.

  • My company has over a thousand users, each with at least one password. I believe that the policy your company has is fair.

    Passwords are not a systems or technology issue. They are a management issue. As soon as that is understood and policies are put in place, the problem will go away.

    Memorizing Passwords

    We recently looked into our password policies. There was much whining even among the technical folks about manditory password lengths of at least seven characters and changes every six months. The most common complaint was 'no one can remember seven mostly meaningless characters'.

    To dispell such nonesense, ask such whiners their phone number. Then ask them what their phone number was at their last three places of residence. Ask them what their best friend's phone number is. Or their 12-digit bank account number. Of their third-grade teacher's name. Or Ken Griffy's batting average.

    Folks are certainly able to memorize random bits of information. Anyone who can't memorize seven to ten characters for a period of six months will be fired. Period. Memorizing a password is part of our job requirements.

    Password Resets

    But, some people do forget a password or lock themselves out. Then what?

    We're a newspaper so most of our deadline work outside 'normal' business hours, between eight at night at two in the morning.

    It used to be common for the computer room to get frantic calls from sports reporters who had locked themselves out on deadline.

    Used to be.

    If a person needs a password reset, he has to call his direct supervisor. That supervisor has to call the division head. The division head then has to call the computer room to get the account opened.

    Not only does this better ensure that the caller is actually who he says he is, no one wants to wake his boss up at midnight on a Sunday. Further, once your boss has to wake up his boss at midnight on a Sunday, the chances are that you'll never forget your password again.

    (Those that are repeat lusers often think it better to dictate the story over the phone and fix the problem the next day than to wake anyone up.)

    InitZero

  • If I understand your post, you're saying that _every_ time a password need to be reset, the user needs to generate a completely new one?!? Rather than just having the admin unlock the account?!? That's totally nuts! I'm in the military, and even I can't think of a system so sensitive it would justify that level of lameness... it's _far_ more trouble than it's worth. A much simpler workaround, other than just having the user identify himself to the helpdesk & having the account unlocked, is to have the account lock _for a limited time_ after too many bad tries... 15 min. is good for a basic non-sensitive system; longer for more critical areas. This will quickly shoo away/highlight brute force crack attempts, which are the only thing your current policy really protects against in the first place. It will also lower your helpdesk calls noticeably...
  • I can understand that, it's because users need to be trained on password policy, howto setup a password and the best way to remember it. (I have mupltiple passwords on various servers, after entering them x times they become second nature and i cycle through a set of them). The big issue that can be overlooked is how saffely transmitting the password over the wire is. Clear text passwords are a big problem that no policy will overcome.

    At work, i set the passwords on all server accounts except for email and local network login, for file/print sharing. IF they are locked out they need to contact me (we have a small user base about 20 ppl no biggie). Training is the key though, i have few problems in this regard because i've taken the time to work with them on howto setup a password and such. That is the key tain the users, give them treats, show them that it can be done X way and that it helps them too.
  • I'm an SA at a large law enforcement agency. Among my responsibilities are the computers our officers use in the field. They carry large amounts of SBU (sensitive but unclassified, for those of you familiar with the protection classes used by us feds) data everywhere they go. After every three fumble-fingered attempts to log on results in a lock, I assign a valid password, do a passwd -f , hand-deliver the replacement and stand over them while they log on and change passwords. They view it as a royal PITA.

    Good.

    Since I started doing it this way, the number of forgotten passwords has dropped to zero and the screwed-up logons are mighty rare. Bad consequences for screwing up are a useful tool in convincing people not to screw up. Of course, I only have about 250 users to watch over. In a bigger organization, this level of personal service would be difficult. For my situation, though, this works fine. (It helps that I'm a former officer so I can get away with bullying my users like this.)

    btw - We are a 100% SCO Unix shop (OS 5.0.4), from the servers to the laptops. There's not a hint of Windows anywhere on my network. And that's the way I like it. :-)
  • I think that its hard to use sane password policies with products like l0phtcrack for download and long term use (if you don't mind using cracks).

    As a system administrator would you like to know that some kid could come to his Dad's office and sniff network passwords? Technology is a dangerous thing and while I think L0phtcrack is great under certain conditions, it can be used to hurt people/buisnesses. Put yourself in a Sysadmin's shoes.

  • It seems to me that if you make password policies too outrageous, users will find a way to circumvent the system
    Like what, actually remember their passwords?
    No, more likely write them down. When you push your users over the brink like that, that's what happens. They just figure it's easier to put it on a post-it and stick it on their monitor. Because they aren't so insane about security and don't worry about if someone breaks into their account and steals their useless files... You must always look at things from the user's perspective. Not yourself, I mean a normal user... :)
    -Chuck
  • I've never seen a company with one of those. However, never reusing a password is clearly not sensible. (And, yes, I've circumvented THAT one many a time.)

    The best password policy is to strictly enforce:

    • Non-trivial passwords. (ie: Must NOT be crackable using a standard dictionary cracker.)
    • Should include both upper and lower case, at least one numeral (OTHER than at either end, at the end of a dictionary word, OR as a trivial "337" substitution) and AT LEAST one non-alphanumeric character (same as for numerals).
    • Passwords should expire after a sensible period of time, and not be reusable within that same length of time. What is sensible depends on the level of security involved. Secretarial work probably doesn't need an expire time less than 6 months. Top Secret 007-type work would probably use an expiry time of 12 hours or less, with OTP encryption on top of it.
    • People who pick stupid passwords should be forced to watch Bill Gates' video dispositions every day for the next week. With an exam afterwards.
  • this is the reason i am happy beyond belief that biometric devices are below $100 now.

    password policies are always a bone of contention, no matter what level of security you implement.

    I personally think 3 tries before lockout is too few on a windows system, first, especially if you're dealing with windows 95/nt combinations, since you can have multiple, different passwords. throw in a connection to a legacy system, and it's chaos.

    Also, reusing passwords shouldn't be set to a high value, but perhaps only to a 10 use value.
    We required passwords to be changed once a month.*

    The most important thing is to teach people how to create passwords that are long and sufficiently complex, yet follow a system that can be cycled through.

    Example: you're a baseball fan. Use team names, and insert random numbers in the middle. i.e.:
    atlanta58braves
    and shorten as needed. Next month you can switch to the (hated) Yankees, for example.

    We required 10 digits at least, with numbers. People freaked out at first, but once you showed them how to do it, we had fewer problems. Well, once we fixed a dll problem that wouldn't allow you to change both 95 and NT passwords simultaneously. But that's another issue...

    * The worst disaster we ever had was when the power went out at our central office 5 minutes after we implemented the policy and 2 minutes after we sent out the email telling people how to do it. When their systems came up, they of course had to change their passwords, and boy howdy, that was NOT a fun day since most did it wrong, since this was pre-DLL fix.

  • With a password policy like that, I have to ask: has your network been broken into lately? Do you work for a government contractor or something else that deals with sensitive data, like a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the external world, so that you can lift some of the password restrictions for local users.

    If your network has been broken into lately, it sounds like an overall security audit is called for -- most of the time the problem is not that passwords aren't strong enough, but that vital services are vulnerable (holes in FTP or Web servers, for instance, or Sendmail improperly configured, or SMB over the internet). The problem could could also be that the users are not careful with their passwords -- you can have the strongest password policy in the world, but if Joe in Marketing keeps giving his password to his brother every time he changes it, you will continue to have problems.

    If you are working for an organization that has sensitive data and resources to protect, there are many methods of authentication that don't require passwords -- someone already mentioned biometrics. I prefer using encrypted connections, such as SSH with key exchanges, where passwords are not send (passphrase are maintained on the local machine only and not sent over the network). Many of these are transparent to the user (though of course totally different to the machine, often requiring installation of specialized clients or other software).

    • It seems to me that if you make password policies too outrageous, users will find a way to circumvent the system

    Like what, actually remember their passwords?


    Cthulhu for President! [cthulhu.org]

Slashdot Top Deals

So you think that money is the root of all evil. Have you ever asked what is the root of money? -- Ayn Rand

Close