• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Password Expiry Policy...importance?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Beginners // Misc. Computer Questions

View previous topic :: View next topic  
Author Message
Cep
Just Arrived
Just Arrived


Joined: 23 May 2005
Posts: 6


Offline

PostPosted: Wed Jul 27, 2005 4:42 pm    Post subject: Reply with quote

1. It's good policy simply because it means that Users are responsible for their accounts. In other words they cannot go around saying "well everyone knows my password" when their user account is caught doing something it shouldnt or is hacked/virus attacked to death.

It is done mainly to ensure that firstly the system is secure and secondly to ensure fair accountability when something does go wrong.

2. Personally with users such as this you will find, sitting back and letting them keep whining to the president is the best option. Mainly because at some point your president will realise just how troublesome this person is.

If your really having a hard time with this individual, especially if they are making derrogatory remarks I would suggest speaking with your own departmental manager about it or if all else fails seek your HR manager or representative.
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Wed Jul 27, 2005 4:51 pm    Post subject: Reply with quote

ask some hard questions (of yourself or whoever it needs to be):

How reliable / fast is your HR process for telling you that someone has left?

Do users have permissions to each other's resources (eg a secretary to a manager's calendar, or even email)?

Do you have any kind of interactive access to stuff from the outside world (eg citrix, TS, OWA, VPN) which could allow someone who left to read or worse, copy or delete things?

Are you 100% certain no user ever gives their password to someone else? (I lost count of how many times I heard "I had to tell my secretary so she could check my email when I am out" because people don't think that you can do this more smartly so they have access using their own credentials)

Some combinations of answers to the above would mean you need to change passwords more frequently, others less so.

30 days is a bit arbitrary to be honest, it could be 23 or 43, or any number you like. Once upon a time it probably related to a sensible requirement relative to computing power available to hack a password. Either that or the person who wrote this "standard" (probably US military at a guess) thought he could use increments for the month in the password so he would remember it more easily.

I would say that good passwords are much more important than frequently changing ones, it's all about balance. Maybe you could concede the 30 days to 45 while you keep the 10 character complexity rules turned on, and use the policy to prevent resue for at least two years as well (so call it minimum 25 times).

I seem to remember something in BS1799 about this - anyone know more specifically?
Back to top
View user's profile Send private message Visit poster's website
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Wed Jul 27, 2005 4:53 pm    Post subject: Reply with quote

Quote:

1. Can anyone tell me why (specifically) it is important to change passwords every 30 days? I've heard it over and over again, but never fully explained (in English that is...).


It isn't; actually, research indicates that above a point, the more you restrict your password policy, the more you compromise your network through cyclic passwords, iterative passwords, and passwords shared/written down. The most restrictive password policy I've set in place on a network has been 8 characters, 60 days, and I don't think that changing them more often than this (in an average office environment) really helps.

There are several articles on this online from many sources, including microsoft. The 'choose a complex password and write it down' crowd also have several articles online, including a mention in this month's edition of cryptogram. Whilst I don't necessarily agree with this, I don't think that memorised 30 day, 15-character passwords policies are the answer to (office) computer security.

Quote:

2. What can I do to make this guy understand that there is a reason for evreything I do on the network... This isn't the first time I've had problems with him (complained about ctrl-alt-del, daily virus scans...wanted to eliminate login screen and change virus scans to weekly scans). Everytime this dude notices something he isn't used to he runs and whines about it. When confronted on policy, I tell him "its a windows security measure". To be honest, I'm afraid to talk to him (along w/everyone else here) because he has a potty mouth and comes off in a real condacending manner...not to mention, I haven't heard a positive thing come out of his mouth since I've been here. What do I have to do to make sure he quits questioning my judgement, whining...or make sure his whining falls on deaf ears? Isn't it my job to provide him with a secure work environment? If I'm not mistaken that's what I'm doing. I'm working on SOPs right now, but don't really know where to start (since this will be my first IT SOP, and is for us to get certified for something or other).


You don't have to, it's your job; as long as you're doing your job properly and keeping the people who have power over you happy, I wouldn't worry about it. Try and alleviate his concerns as best you can, but at the end of the day, you're only going to antagonise yourself and him further by flogging a dead horse. Make sure your manager understands your concerns and sees that you're reasonable beyond the pale in trying to resolve the issue and allay your user's concerns.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Wed Jul 27, 2005 4:58 pm    Post subject: Reply with quote

Quote:

Everytime this dude notices something he isn't used to he runs and whines about it.


Tell him (and copy his and your managers in the email) that it is your responsibility to ensure system security, explain that the user has access to certain resources (list the most important ones) and you have to protect those. Since it's your responsibility you will put in security measures that are as unobtrusive as possible, when they require changes to procedures proper training will be given as will reasonable notice. Explain that password policy is a small part of an in-depth security solution following industry practises - you didn't invent them, but you have the knowledge and training to know you should follow them.

Explain how without well thought out password policy theres a serious decrease to security. However if you have management sign off on your policies (which you should) then he has no reason to talk to you. Also make sure the users will follow the policy, no point changing passwords if they just cycle simple passwords all the time.

When implementing policy I find it's best to do it like this:

- Determine what you'd like to have.
- Determine what your users would like to have.
- Determine how to deliver as much as possible of your plans without affecting the user diretly.
- Speak to management and users about the changes that will affect them, show a clear case for why you need them and let the managers decide what goes in and what doesn't (then they become responsible for the policy which is how it should be)
- Document your plans, get management sign-off on the document
- Get the users to sign a company policy with all the steps they must take to comply with the policy.
- Implement the changes

After this if anything goes wrong, a user ignores the policy or complains about it, you have a variety of documents and signatures to throw at them, let them then fight through that to get you to change it. This ensures you stay as close to best practise as possible, include all levels of user AND cover your ass if they decide to ignore it. Seems like a lot of work, but if it's done right you won't have to repeat it and trust me people rarely fight through a policy that is well thought out unless they have a very valid reason and in that case the policy should be changed anyway.
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Wed Jul 27, 2005 5:09 pm    Post subject: Reply with quote

Quote:

When implementing policy I find it's best to do it like this:

- Determine what you'd like to have.
- Determine what your users would like to have.
- Determine how to deliver as much as possible of your plans without affecting the user diretly.
- Speak to management and users about the changes that will affect them, show a clear case for why you need them and let the managers decide what goes in and what doesn't (then they become responsible for the policy which is how it should be)
- Document your plans, get management sign-off on the document
- Get the users to sign a company policy with all the steps they must take to comply with the policy.
- Implement the changes


That's definitely not the njan method of implementing password policies Razz
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Wed Jul 27, 2005 5:12 pm    Post subject: Reply with quote

Im also an expert in the njan method:

- Determine what you'd like to have.
- Implement the changes

Very Happy
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Wed Jul 27, 2005 5:17 pm    Post subject: Reply with quote

Quote:

Im also an expert in the njan method:

- Determine what you'd like to have.
- Implement the changes


There's no need to over-complicate the process! The two steps can be combined to form one efficient, fell swoop! Twisted Evil
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Wed Jul 27, 2005 5:26 pm    Post subject: Reply with quote

There is a few policy templates on the SANS site that you could work from, they range from AUP's to Internal lab and remote access policies.

You should find enough there to get you going, if you need something else let us know Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
larsmhansen
Trusted SF Member
Trusted SF Member


Joined: 11 Jan 2003
Posts: 0
Location: Boston, MA, USA

Offline

PostPosted: Thu Jul 28, 2005 6:39 pm    Post subject: Reply with quote

There's nothing wrong with writing down the password(s), as long as it's not on a postit note on your monitor or on/in your desk.

Considering the vast amount of password/accounts that many people have, they will often use the same password for all their accounts (because they have been trained to not write them down) because it's easier to remember one password than 20 ...

However, 20 passwords is infinately better than one. In the event that someone does manage to get a hold of one of your passwords, they won't have instant access to your online banking, credit cards, message board accounts and everything else.

So, having a piece of paper in your wallet (or otherwise on your person) with your password on it might actually be a better way of ensuring good passwords, and less complaining about having the change them...
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Thu Jul 28, 2005 8:40 pm    Post subject: Reply with quote

Quote:

There's nothing wrong with writing down the password(s), as long as it's not on a postit note on your monitor or on/in your desk.


I hope you are joking ?

So some cusomter services operator at my bank loses her wallet and I get my accounted reamed ? no thanks.

how about people just use easy to remember long passwords

"3ver sinc3 1 WAS a young boy I played that silver ball!"

Meets even the most stringent password policies, won't need to be written down as it's easy to remember and even if I told you what song it came from you'd still have a hard time cracking it.

Good passwords are the answer not writing it down. Good being easy to remeber AND secure - no one ever said they had to be mutually exclusive.

this may seem like a slightly long password to type but if you have a single sign-on solution (which you should if your users have a lot of passwords) then it's only needed between 1-3 times a day so it's no big deal.

Train the users on how to make security less of an inconvenience, but if you tell them to write their passwords down then you're the one requiring training IMO.
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Thu Jul 28, 2005 9:17 pm    Post subject: Reply with quote

Oi, P1n8a!! W124rd ! Calm down!

I sit firmly on the fence on this one at the moment. The problem is all the systems you don't control, many of which won't allow nice long passwords. Users have loads of different systems to access these days and that's why they find this a problem.

Every time someone ask them for a password they rack their brains to think of one, not sure if they should re-use an old one etc. and end up with easily a dozen or more, get confused and so they dumb down.

I would advise users to pick at least three or four passwords along the following lines:

1) one you always re-use for things like websites where you have to register to get at something but you don't really care. Must be nothing to do with any others. Make it easy to remember - you may want to visit the same site again in the future. I actually have a gmail account which I only use for this sort of stuff where I think there's a spam risk, and a password which relates to that name.

2) a secure one you use for more important things, might not be very strong, might be used for telephone transactions (eg calling your mobile service to change something in your contract they often want proof that you are you). Needs to be something you can easily say over the phone unambiguously, does not have to be a real word (they can see the thing you originally gave so they are expectig whatever you say). You may need a second one in this class for more security if you do things like telephone banking. If they only ask for individual letters you can use a non-word but there's less point.

3) a super strong one you only use when it matters - online shopping sites which remember your shipping and billing details for example. Never use for anything in category one or two, never give it to anyone (in case they guess you use it a lot), never use as a password you have to give as a complete word over the phone (possibly could be the second one of type two since the operator only asks for single letters, so anyone overhearing does not hear you say the whoel thing). Should not need writing down because you pick something strong but memorable and use it quite a lot.

4) a super strong password which changes reasonably often - either very long OR very complex (IMHO both is overkill), depending on whether you can type fourty characters reliably or not. This would be your network password for example.
If it's long (like a song lyric) there should be no real need to write it down, but if it is one you don't use often (my enterprise admin account, for example) you might want to write down a clue (eg "pinball") to remind you.
If it is short but complex, write down an obfuscated version. Maybe you know what letters you always swap for characters, so write the original letters and swap them in your head when you use it. Maybe add some null chars in front or end or both. The written string D00lP1n8411!ttL3 would still take someone lots of effort to work out that this is Pinball embedded in Doolittle, and they still don't know which part is the password or the whole thing (actually it's a clue to El!3ltonZa). With a sensible lockout policy this should be secure enough.
More obfuscation measures: write down multiple strings on the same piece of paper - you should know which is the right one but who else will? I used to have a 5x5 grid of numbers written down which contained three PINs but it would have been hard for someone else to guess which digits to use.
Obviously lack of context is essential, so don't write down an accompanying username, or even notes like "bank" or "work". Unless they are lies to confuse further.
You can even end up with something of a steganography / hide in plain sight effect going on - who knows the address of an old school friend written on a post it on your desk is actually your password (with the first character of every line put to the end when you type it)? Not that I think most users would be smart enough (paranoid enough) to use this idea properly.

Like anything, advising users not to do something may not stop them - they may very well decide to write it down anyway but hide it so you don't tell them off. So, accept and embrace this and give them advice on how to do this sensibly if they must do it at all. Bottom line - if they do have write it down they must secure that piece of paper properly, in a wallet or whatever.
I heard of one place that bought a load of fairly cheap key fobs with paper inserts that users could put their passwords or password hints on. This meant they kept it with their keys (which they want to keep safe) but not in their wallet (which would have information identifying who the password belonged to).

That reminds me - password hints for websites (or if you use clever software to let users reset their own password after lockout). I always use exactly the same answer regardless of the question.
First pet's name? Favourite colour? Mother's maiden name? place of birth?
A: Marmalade (made up example obviously).
Anything asking for a date as a reminder question I use a family member's birthdate, not my own (especially if that's what they ask for).
If an unscrupulous (or insecure) website has a record of your mother's maiden name and birthdaye along with your name and home address, identity theft is not far away.
Back to top
View user's profile Send private message Visit poster's website
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Thu Jul 28, 2005 9:43 pm    Post subject: Reply with quote

The wider password picture is different as you obviously can't set a policy on those.

Our consideration is the local services which we can control, for these we have an integrated login system (AD/Kerberos for example) Which needs one password for many, many services this can be augmented with many products which will cover everything, even websites.

In order to protect the infrastructure this should be one of the more secure passwords in your options. Writing this down should never happen and should be a disciplinary offence.

If you have access to important information that information should be protected properly, I don't care that you have 60 different passwords to remember at home, if your email account get's hacked that's your email and your problem. The company systems are the responsibility of the security administrator and she should only be asking you to remember one password at a time which should change at a reasonable frequency. If someone compromises this password there is a lot more that can happen, like identity and monetary theft affecting possibly thousands of people (depending on the users job role). This is not just another website password it's someones business, many peoples personal details and probably many peoples money - If the user doesn't have the mental capacity to remember a single string that only changes once a month then they probably shouldn't be in that job. This isn't hard, a 3 year old can memorize strings this long and they don't even know what they are (I didn't make that up I have a 3 year old and he can remember strings much longer than my example).

The "too many passwords" excuse doesn't wash with me. The login password to the company systems is the only important one everything else affects you only the company systems affect many more people and should be protected.

I have access to quite a few systems as a consultant, (enough to be able to shoot off to the bahamas with a few million before anyone noticed) I have good long passwords to each of them with rotating passwords, I don't write any of them down and I don't ever forget them. I do however have firefox remember all my personal website passwords for convenience even though it's lending towards insecure (it's single sign-on so it is secure to a degree). This doesn't mean I'm superhuman, I don't have special memory techniques or an insanely high IQ, I just remember these important passwords because I appreciate their importance. Anyone can do this, you get taught how to remember things at school - it isn't difficult. If it's important to you, you will remember it.

This is where my main point comes in, the users don't always realise the importance of their password and many hold their hotmail account as more important to them. Which is why you train them on how to create and remember a good password and reward them when possible for protecting the companies interests.

Security is about making things convenient and secure, with as little trade off on either one as is reasonably possible. When you do have to trade-off in favour of security then you must ensure the users can handle this. You will find usually they can, provided they have proper training.
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Fri Jul 29, 2005 12:15 am    Post subject: Reply with quote

All fair points. I actually do exactly as you do with passwords for networks (I have three accounts on my own domain with different strong passwords, and different ones again for customer sites).

However, my own good practice is a little different from what I expect of lazy users who are perhaps very intelligent and knowledgable in their field but not of the tech-savvy mentality or just disinterested.

As I said, I try to encourage users to think of different passwords but group them together to help them have fewer overall, so changing a network password becomes less of a headache. I don't positively encourage people ot write things down, but accept that if they will then they should at least try to do this in a smarter way and need pointing in the right direction.

To me it's a bit like learning how to get a car out of a skid safely - it's much better to drive more slowly and keep more room around you to have more time to react and not get into a skid in the first place. But you can't pretend it will never happen, so it is better to know how to deal with it properly.

I prefaced my thoughts by saying that I'm on the fence a little on this one. I am used to seeing some pretty appalling practice - an entire IT department with domain admin rights on their normal accounts used all day for example. So I am maybe a bit worn out as an evangelist for super best practice on this and think there must be a midle ground which is sognificantly better than what some people have right now.

In my very humble opinion
I enjoy a good healthy argument, I think it shows real belief when people stand up for their thoughts, so while I may not agree, I certainly don't feel worse about people who think I am wrong.

There's two sides to every argument - my side, and the wrong side! Wink

Aside: Just about the only passwords I don't let Firefox keep for me are my email (company and private) and this forum - I think allowing anyone to use those accounts and say things using my (hopefully good) name would be a bad idea. (since Firefox can display the saved passwords I can only assume they are stored either in plain text or in reversible encryption, either way I don't trust it enough).

Aside2: I used to use the njan method of "one step policy creation" (not such a great idea with client's networks these days). It got me into trouble a few times, but I never had to undo a policy in the end and things got done and secured!
Back to top
View user's profile Send private message Visit poster's website
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Fri Jul 29, 2005 12:36 am    Post subject: Reply with quote

Quote:

As I said, I try to encourage users to think of different passwords but group them together to help them have fewer overall, so changing a network password becomes less of a headache. I don't positively encourage people ot write things down, but accept that if they will then they should at least try to do this in a smarter way and need pointing in the right direction.


I know people that do that, never tried it myself so couldn't recommend it's effectiveness to a user, it is one of the better ideas for remembering passwords - alhough could most users come up with a good scheme - my fear is they'd take the example scheme and use that, which would be utterly obvious for an attacker to figure out.


Quote:

I prefaced my thoughts by saying that I'm on the fence a little on this one. I am used to seeing some pretty appalling practice


My rant was more of a personal moan than directed at you, I was also still half talking to the previous poster.

Quote:

I enjoy a good healthy argument, I think it shows real belief when people stand up for their thoughts, so while I may not agree, I certainly don't feel worse about people who think I am wrong.


Hell yeh, nothing get's done without a bit of arguing, although debates a better word Smile

Quote:

since Firefox can display the saved passwords I can only assume they are stored either in plain text or in reversible encryption, either way I don't trust it enough


They'd have to be reversible so the browser can present it to a site.

Quote:

I used to use the njan method of "one step policy creation" (not such a great idea with client's networks these days). It got me into trouble a few times, but I never had to undo a policy in the end and things got done and secured!


That joke stemmed from a post njan and I shared. Whilst there I had worked up the ladder and found it harder to get things past people above me and on the same level, because of my previous positions. njan came in later when the company was larger and didn't have this issue and just started getting things done. This led to a more secure system but a lot more complaints from users. My method's flaw was that it wasn't as forceful so had less complaint but I had to deal with known security gaps. From the experience of this we both have a decent understanding of how to work through a system and get things done without pissing people off, as I noted it boils down to the audit trail. Make other people leave a trail and make them follow it like you did, most of the time they won't bother and your hard work pays off - you get your secure system and the users go a long with it.

The serious downside to this is circumvention, users will circumvent it. In this case they circumvent by writing down passwords. This is why I advocate training and awareness. In my, not even close to humble Razz , opinion the users will circumvent things they don't like and don't understand, if you help them understand it they are more likely to follow it.

It also helps if you give sweets to the people whose account's take longest to crack and then have an office party the first time you don't crack anyones before the changeover period. Razz
Make a toast
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Beginners // Misc. Computer Questions All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register