Password policy
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
We have an ISO, which forces us to change password every 3 months and keep history of eight 'ages', and of course it must be a complex password... The only result is that now all manage a text/excel file to keep tracking of the 8 'ages' and complexity... also all creates password based on a pattern... I feel so safe... :-) The first thing I done after the first period is remove this from my user...
Skipper: We'll fix it. Alex: Fix it? How you gonna fix this? Skipper: Grit, spit and a whole lotta duct tape.
-
We have an ISO, which forces us to change password every 3 months and keep history of eight 'ages', and of course it must be a complex password... The only result is that now all manage a text/excel file to keep tracking of the 8 'ages' and complexity... also all creates password based on a pattern... I feel so safe... :-) The first thing I done after the first period is remove this from my user...
Skipper: We'll fix it. Alex: Fix it? How you gonna fix this? Skipper: Grit, spit and a whole lotta duct tape.
So change your password every month to My_ridiculous_password_1 through My_ridiculous_password_12 and then start over from the beginning.
Wrong is evil and must be defeated. - Jeff Ello
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
It's their server, so they're right, so you have to deal with it. It is, however, your right to complain bitterly to whomever will listen.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
You're both right.
-
So change your password every month to My_ridiculous_password_1 through My_ridiculous_password_12 and then start over from the beginning.
Wrong is evil and must be defeated. - Jeff Ello
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
Such passwords will be written down. If someone changes the lock on their front-door each month, I'd be inclined to say that they haven't looked into securing the house at all and are merely copying others. I'd also be testing their password recovery/reset options at least twice a month :thumbsup:
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
Head of IT at another company I work for sent me a login for one of their systems... the password? W3bl0g1n! :omg:
Nice. What was the name of the company again?
Wrong is evil and must be defeated. - Jeff Ello
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
It depends. If they're in an industry that has applicable cyber regulation then they may absolutely need to do this to maintain compliance. Thirty days seems a little on the sharp side, but that's all contingent on the laws in the primary operational area for the company. Also, the general "wisdom" on the security side is that complex passwords that are changed on a regular basis are still a fundamental security practice. The zeitgeist has not shifted on that; though there are a number of increasingly vocal individuals that advocate for a less complex strategy, they don't represent the viewpoint of the community as a whole. Use [KeePass](https://keepass.info/) to keep it easy. I just use the "Generate from last" and go.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
A_Griffin wrote:
I'm not really a security expert
I'm not sure anyone really is. It's my understanding that most major security breaches are not through guessing someone's password but through other security holes so I don't think these policies do any good at all.
Everyone is born right handed. Only the strongest overcome it. Fight for left-handed rights and hand equality.
-
It depends. If they're in an industry that has applicable cyber regulation then they may absolutely need to do this to maintain compliance. Thirty days seems a little on the sharp side, but that's all contingent on the laws in the primary operational area for the company. Also, the general "wisdom" on the security side is that complex passwords that are changed on a regular basis are still a fundamental security practice. The zeitgeist has not shifted on that; though there are a number of increasingly vocal individuals that advocate for a less complex strategy, they don't represent the viewpoint of the community as a whole. Use [KeePass](https://keepass.info/) to keep it easy. I just use the "Generate from last" and go.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Yes, if they are too lazy to restrict access for ex-employees, then it would pay to change those passwords every 30 days. Would give said employee to the end of the month to create chaos. It is nonsense.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
Not just gratuitous self-promotion (because that doesn't work well) but you could really try my C'YaPass program (Users Hate Passwords (We're All Users): Never Memorize a Password Again[^]). It's free, open source, and there is code for 4 major platforms (windows, web, android, ios). The coolest thing in the latest version is that it remembers all those annoying password requirements* now. *Add uppercase, add special character, length req
-
Nice. What was the name of the company again?
Wrong is evil and must be defeated. - Jeff Ello
M1cro50ft.
-
Yes, if they are too lazy to restrict access for ex-employees, then it would pay to change those passwords every 30 days. Would give said employee to the end of the month to create chaos. It is nonsense.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
No, if the organization is subject to regulation then out-processing requirements are likely required as well, which should include account closure. Of course, if there are a ton of different systems without a central AAA mechanism then it might be as you suggest, but only a complete moron would consider that a security strategy. This isn't an insider threat mitigation strategy. As I said, 30 days is a bit much, but at least 90 (with deviation requirements) is pretty on-point to prevent re-use issues if a third party is compromised. It's not perfect, but it's far better than nothing.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
No, if the organization is subject to regulation then out-processing requirements are likely required as well, which should include account closure. Of course, if there are a ton of different systems without a central AAA mechanism then it might be as you suggest, but only a complete moron would consider that a security strategy. This isn't an insider threat mitigation strategy. As I said, 30 days is a bit much, but at least 90 (with deviation requirements) is pretty on-point to prevent re-use issues if a third party is compromised. It's not perfect, but it's far better than nothing.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Nathan Minier wrote:
This isn't an insider threat mitigation strategy. As I said, 30 days is a bit much, but at least 90 (with deviation requirements) is pretty on-point to prevent re-use issues if a third party is compromised. It's not perfect, but it's far better than nothing.
It is patchwork for someone who is too lazy to control the entire chain, and it is evil; it gives the impression of added security, where there isn't.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
A_Griffin wrote:
One of my clients
They are paying you to do a job; either do it with their requirements or don't get paid. Have you heard of how many control systems get hacked because people didn't change default passwords or change them on a regular basis? It is not so much an issue in the U.S.A. where companies are required by federal law to maintain secure environments, but it is still a threat.
-
Nathan Minier wrote:
This isn't an insider threat mitigation strategy. As I said, 30 days is a bit much, but at least 90 (with deviation requirements) is pretty on-point to prevent re-use issues if a third party is compromised. It's not perfect, but it's far better than nothing.
It is patchwork for someone who is too lazy to control the entire chain, and it is evil; it gives the impression of added security, where there isn't.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
I disagree. There is no "control the entire chain" when a user can use the same password on my system as on a third party system, and I have no idea what precautions that system might have in place. Compared to the risk of compromise of credentials through third parties, the risk that an employee might keep a written ledger of passwords (or use a password manager) is much easier to accept. As an SA or ISSO, I have no control over what passwords users have on other systems; but if I make them change it often enough I can reduce the risk of password reuse, and risk reduction is all that you can do in security. Not having password change requirements is frankly "lazy", as you are not only putting your system at risk, but any other that the user might have an account with.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
I disagree. There is no "control the entire chain" when a user can use the same password on my system as on a third party system, and I have no idea what precautions that system might have in place. Compared to the risk of compromise of credentials through third parties, the risk that an employee might keep a written ledger of passwords (or use a password manager) is much easier to accept. As an SA or ISSO, I have no control over what passwords users have on other systems; but if I make them change it often enough I can reduce the risk of password reuse, and risk reduction is all that you can do in security. Not having password change requirements is frankly "lazy", as you are not only putting your system at risk, but any other that the user might have an account with.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Nathan Minier wrote:
but if I make them change it often enough I can reduce the risk of password reuse
No, now you are increasing that risk. Januari01, February02, March03..
Nathan Minier wrote:
and risk reduction is all that you can do in security
My world has to be black and white; either something can be trusted, or it can't. If it is outside my control, there will be no trust.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
Nathan Minier wrote:
but if I make them change it often enough I can reduce the risk of password reuse
No, now you are increasing that risk. Januari01, February02, March03..
Nathan Minier wrote:
and risk reduction is all that you can do in security
My world has to be black and white; either something can be trusted, or it can't. If it is outside my control, there will be no trust.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
That's not the password reuse I'm referring to. Most users will use the same password on multiple systems. If system A has a more frequent password refresh period than system B, after that first refresh period they will be different from each other unless the user explicitly changes system B at the same time. However, most users will only change a password because they're prompted to, not because they had to for a different system, and they just end up tracking more passwords (again, why I advocate password managers).
Eddy Vluggen wrote:
My world has to be black and white; either something can be trusted, or it can't. If it is outside my control, there will be no trust.
That's cool and great for dev work; but that viewpoint does not work for security modelling. Security models are built on people, which are more effectively tracked by statistical plotting than by binary behavior models.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
[NIST](http://nist.gov) has also changed its tune re: password change frequency, although I can't find their official policy document right now.
