Creating Sane Password Policies? 11
Xenocide asks: "Occasionally, while using Windows here at work, my LAN account gets locked out for one reason or another (three tries and you're out). This requires me to contact our Help Desk and have the password reset. Now, because the server administration thought it was a good idea, old passwords cannot be used again. After talking with a Help Desk person, they said there was a large increase in password resets lately. It seems to me that if you make password policies too outrageous, users will find a way to circumvent the system. Not to mention that this increases support costs. I was wondering, what password policies do other companies use? Also, how do you convince the administrators to implement reasonable ones? "
Re:Alternatives (circumventing the system?) (Score:1)
a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the
external world, so that you can lift some of the password restrictions for local users.
I don't understand this response. The user's LAN should not be open to the Internet. accounts/passwods have existed in organisations for years before most orgs decided to connect to the Internet.
If there are segmented functions in an organisation and there are resources that can be used by some segments and not others, then you should think twice before relaxing your password regime. Even more so if you can't guarantee the physical security of your desktops at all times of the day.
CACM article on this topic (Score:1)
Seems Reasonable to Me (Score:1)
My company has over a thousand users, each with at least one password. I believe that the policy your company has is fair.
Passwords are not a systems or technology issue. They are a management issue. As soon as that is understood and policies are put in place, the problem will go away.
Memorizing PasswordsWe recently looked into our password policies. There was much whining even among the technical folks about manditory password lengths of at least seven characters and changes every six months. The most common complaint was 'no one can remember seven mostly meaningless characters'.
To dispell such nonesense, ask such whiners their phone number. Then ask them what their phone number was at their last three places of residence. Ask them what their best friend's phone number is. Or their 12-digit bank account number. Of their third-grade teacher's name. Or Ken Griffy's batting average.
Folks are certainly able to memorize random bits of information. Anyone who can't memorize seven to ten characters for a period of six months will be fired. Period. Memorizing a password is part of our job requirements.
Password ResetsBut, some people do forget a password or lock themselves out. Then what?
We're a newspaper so most of our deadline work outside 'normal' business hours, between eight at night at two in the morning.
It used to be common for the computer room to get frantic calls from sports reporters who had locked themselves out on deadline.
Used to be.
If a person needs a password reset, he has to call his direct supervisor. That supervisor has to call the division head. The division head then has to call the computer room to get the account opened.
Not only does this better ensure that the caller is actually who he says he is, no one wants to wake his boss up at midnight on a Sunday. Further, once your boss has to wake up his boss at midnight on a Sunday, the chances are that you'll never forget your password again.
(Those that are repeat lusers often think it better to dictate the story over the phone and fix the problem the next day than to wake anyone up.)
InitZero
too many secrets... (Score:1)
Re:CACM article on this topic (Score:1)
At work, i set the passwords on all server accounts except for email and local network login, for file/print sharing. IF they are locked out they need to contact me (we have a small user base about 20 ppl no biggie). Training is the key though, i have few problems in this regard because i've taken the time to work with them on howto setup a password and such. That is the key tain the users, give them treats, show them that it can be done X way and that it helps them too.
Sounds fine to me... (Score:1)
Good.
Since I started doing it this way, the number of forgotten passwords has dropped to zero and the screwed-up logons are mighty rare. Bad consequences for screwing up are a useful tool in convincing people not to screw up. Of course, I only have about 250 users to watch over. In a bigger organization, this level of personal service would be difficult. For my situation, though, this works fine. (It helps that I'm a former officer so I can get away with bullying my users like this.)
btw - We are a 100% SCO Unix shop (OS 5.0.4), from the servers to the laptops. There's not a hint of Windows anywhere on my network. And that's the way I like it.
L0phtCrack (Score:1)
As a system administrator would you like to know that some kid could come to his Dad's office and sniff network passwords? Technology is a dangerous thing and while I think L0phtcrack is great under certain conditions, it can be used to hurt people/buisnesses. Put yourself in a Sysadmin's shoes.
Re:Alternatives (circumventing the system?) (Score:2)
Sensible Password Policies (Score:2)
The best password policy is to strictly enforce:
sane password policies... (Score:2)
password policies are always a bone of contention, no matter what level of security you implement.
I personally think 3 tries before lockout is too few on a windows system, first, especially if you're dealing with windows 95/nt combinations, since you can have multiple, different passwords. throw in a connection to a legacy system, and it's chaos.
Also, reusing passwords shouldn't be set to a high value, but perhaps only to a 10 use value.
We required passwords to be changed once a month.*
The most important thing is to teach people how to create passwords that are long and sufficiently complex, yet follow a system that can be cycled through.
Example: you're a baseball fan. Use team names, and insert random numbers in the middle. i.e.:
atlanta58braves
and shorten as needed. Next month you can switch to the (hated) Yankees, for example.
We required 10 digits at least, with numbers. People freaked out at first, but once you showed them how to do it, we had fewer problems. Well, once we fixed a dll problem that wouldn't allow you to change both 95 and NT passwords simultaneously. But that's another issue...
* The worst disaster we ever had was when the power went out at our central office 5 minutes after we implemented the policy and 2 minutes after we sent out the email telling people how to do it. When their systems came up, they of course had to change their passwords, and boy howdy, that was NOT a fun day since most did it wrong, since this was pre-DLL fix.
Alternatives (circumventing the system?) (Score:3)
With a password policy like that, I have to ask: has your network been broken into lately? Do you work for a government contractor or something else that deals with sensitive data, like a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the external world, so that you can lift some of the password restrictions for local users.
If your network has been broken into lately, it sounds like an overall security audit is called for -- most of the time the problem is not that passwords aren't strong enough, but that vital services are vulnerable (holes in FTP or Web servers, for instance, or Sendmail improperly configured, or SMB over the internet). The problem could could also be that the users are not careful with their passwords -- you can have the strongest password policy in the world, but if Joe in Marketing keeps giving his password to his brother every time he changes it, you will continue to have problems.
If you are working for an organization that has sensitive data and resources to protect, there are many methods of authentication that don't require passwords -- someone already mentioned biometrics. I prefer using encrypted connections, such as SSH with key exchanges, where passwords are not send (passphrase are maintained on the local machine only and not sent over the network). Many of these are transparent to the user (though of course totally different to the machine, often requiring installation of specialized clients or other software).
Like what, actually remember their passwords?
Cthulhu for President! [cthulhu.org]