Password expiration policy
-
In a recent thread which I can't now find, somebody (I think it was tster) said something along the lines that a policy forcing passwords to be changed every x days was not conducive to security.
Since our auditors made us enforce a policy like this, I can see that it's led to an increase of passwords written on post-its around the place. I also suspect people are doing things like using the current month as their password. Other than these, what are the arguments against having a password expiration policy? All arguments will be deployed when auditing time comes around again!
-
I personally think that most password policies are counter-productive:
1) Forcing a password change every n days just leads to 'subtle' re-use, e.g. monday1, monday2... If the password-changing mechanism is clever enough to stop you doing that, then that practically guarantees that users will start writing passwords down.
2) Forcing a password to include at least 1 number or special characters probably ensures that you can't remember it, so it will be written down.
3) Setting up default, system-generated passwords like "erl8ji1lf_z" guarantees getting it written down (how can you remember it?). If you're going to do that, at least make it memorable, like "dog4cat" or "bum2face" or "catch33" - even I could remember those.
4) In our office, several people use PasswordSafe or similar. But that means that all your passwords are protected by 1 single password, so that's not great. And it's now on your hard disk, which is probably less safe than on a piece of paper in your drawer.
Personally, I write my passwords down (I have about 20 to remember, what with Unix boxes, databases, applications etc etc, and some have to change every month). This is definitely in contravention of company policy*, especially for IT department. They are in a tatty notebook in my drawer, about 3 pages in from the back, so fairly hard to find. The one I don't write down is my NT network password, which I actually try to remember, so you still have to get past that to use the others. Security by obfuscation?
*But I've been made redundant anyway, so whatever.
-
@vr602 said:
I personally think that most password policies are counter-productive: etc
I agree with your points, and would like to add:
2) Forcing a password to include at least 1 number or special characters probably ensures that people use normal words with 123 tacked onto the end. That's real secure. It also beats the strength-meter of Google, which is BAD, ELGOOG, BAD.
3) I've heard stories of such a generator that used basic syllables that regularly produced profanity. But the one our backoffice system uses is one such as you describe, and it WORKS because I can remember my password from 3 years ago even though I've never actually used it because the accounts are linked to ActiveDir anyway. A homegrown system had such a system except it would use some special chars as normal a-z chars,eg. | for l and things like that. It's a bad method because I could never remember my password for that system.
So a generated human password is the way to go.
I have a note with rarely-used passwords as well, but I tend to write down the way I mentally generated a specific password, and obfuscated at that. So, er, sometimes I don't quite know what a password is. :3
-
@dhromed said:
I have a note with rarely-used passwords as well, but I tend to write down the way I mentally generated a specific password, and obfuscated at that.
I'm not sure I understand. Please demonstrate with your tdwtf password.
-
@DOA said:
I'm not sure I understand. Please demonstrate with your tdwtf password.
Very well.
It goes like this:
first, you 57fu
And then you add a 'u' (phonetically), a 't', 'w', 'i' and finally a 't'
That good for you?
-
@dhromed said:
I've heard stories of such a generator that used basic syllables that regularly produced profanity.
I can find a screenshot given some time, but where I worked, we had a screenshot of a random password our software generated: cockgo2ho. The screenshot was either taken by the CTO during an on-site visit/demo, or it was a customer that sent it in. We had a few others, but those were more normal swears, like shit and fuck.
But back on topic regarding stupid password policies... my girlfriend's father works at a little shop that requires password changes once a month. And to make it even stupider, they left the password expiry warning on the default of 14 days.
-
@upsidedowncreature said:
In a recent thread which I can't now find, somebody (I think it was tster) said something along the lines that a policy forcing passwords to be changed every x days was not conducive to security.
-
@skippy said:
@dhromed said:
I've heard stories of such a generator that used basic syllables that regularly produced profanity.
I can find a screenshot given some time, but where I worked, we had a screenshot of a random password our software generated: cockgo2ho. The screenshot was either taken by the CTO during an on-site visit/demo, or it was a customer that sent it in. We had a few others, but those were more normal swears, like shit and fuck.
But back on topic regarding stupid password policies... my girlfriend's father works at a little shop that requires password changes once a month. And to make it even stupider, they left the password expiry warning on the default of 14 days.
This exact same software also generated [b]biG2fuk[/b] not too long ago as well.
-
@vr602 said:
They are in a tatty notebook in my drawer, about 3 pages in from the back, so fairly hard to find.
Not so hard to find now...
-
@amischiefr said:
Go on then. I'll even give you a clue: it's in the City of London...@vr602 said:
They are in a tatty notebook in my drawer, about 3 pages in from the back, so fairly hard to find.
Not so hard to find now...
-
I won't comment on the password expiration but; at our help desk there a number of things that are messed up with the client's password policy. The end result is there are about 3 main passwords (like Company42, SecureEnoughf4Us and password [yup undercase et al]) that will probably cover 80%+ of the staff, since in most cases only the HD or server admins can change the passwords these never get changed to something personalized/secure until they expire, but remote people can't change their password and have us reset the timer by reseting the password with the admin tool to their current password, which we have to ask them over the phone about (95% of these calls share a common password). Also as I mentioned in IRC, if you really want the password of someone who isn't remote you can get us to change it knowing a little bit about the person (their first and last name, you must be able to spell the latter) and do some very basic SE. Also a few of our applications have an interesting quirck; it will accept any password on the change dialogue, but will only accept (at login) passwords with a char length between 4 and 8 and if it ends in a specific letter you're SOL.
-
They had a password expiration policy here. After a year and a half my Windows password is "linux3". I don't log in very often.
My most secure password is NOT the network sysadmin password. It's my bank password.
-
@AndyCanfield said:
They had a password expiration policy here. After a year and a half my Windows password is "linux3". I don't log in very often.
My most secure password is NOT the network sysadmin password. It's my bank password.
It should be "GNU/Linux3". That makes it more secure, as it contains capital letters and a slash, and furthermore it keeps rms happy.
