Password policy
-
Nathan Minier wrote:
Most users will use the same password on multiple systems. If system A has a more frequent password refresh period than system B, after that first refresh period they will be different from each other unless the user explicitly changes system B at the same time.
So, by forcing the user to adapt to a predictable pattern, or find a way to game the system (as told by a co-worker, change the password four times, and it accepts the first, even if it is reused), you make things more secure? So, one of us goes for a lubber, the other for sterilization :)
Nathan Minier wrote:
Security models are built on people, which are more effectively tracked by statistical plotting than by binary behavior models.
Now you're not building on people, but on a matrix of risc vs. damage. A leak plugged with duct-tape is still a leak.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
The level of mental gymnastics that you're going through to justify being too lazy to change a password is astounding. If you put that much effort into understanding the other side of the argument, you might have a shot at understanding threat modelling.
Eddy Vluggen wrote:
So, one of us goes for a lubber, the other for sterilization :)
No, the only "sterile" computer is one that's powered down. I prefer my systems to be functional.
Eddy Vluggen wrote:
Now you're not building on people, but on a matrix of risc vs. damage. A leak plugged with duct-tape is still a leak.
Sure, but that matrix is based on a continuum of behavior, not a fantasy binary existence. Your analogy is insipid BTW, your attitude is to not attempt to plug the leak at all.
Eddy Vluggen wrote:
(as told by a co-worker, change the password four times, and it accepts the first, even if it is reused),
FYI both pam_cracklib and LAPS can be configured to flag an age on passwords, i.e. no reuse for a set time. Windows 2K+ can sen a minimum password age via GPO. If users can cycle their passwords back to original in your environment, then clearly your security people are out of their depth.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
Jörgen Andersson wrote:
My_ridiculous_password_1 through My_ridiculous_password_12
Where I am now had the setting so it wouldn't let you re-use the last 9 passwords until they realized that the majority of employees were just using My_easy_password_1 to My_easy_password_0 then starting over at 1. So the fix? Change it to not allow you to use the last 20 passwords! Bet you can't guess what changed.
RJOberg wrote:
So the fix? Change it to not allow you to use the last 20 passwords! Bet you can't guess what changed.
The obvious solution is to not allow numbers at the end or start of a password. Of course that just leads to people using things like my1password, my2password, etc. So obviously you also have to require the first four characters of the password to be different each time as well.
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
-
RJOberg wrote:
So the fix? Change it to not allow you to use the last 20 passwords! Bet you can't guess what changed.
The obvious solution is to not allow numbers at the end or start of a password. Of course that just leads to people using things like my1password, my2password, etc. So obviously you also have to require the first four characters of the password to be different each time as well.
Oh, there are many solutions: one of my favorites is to require a percentage of all letters to change to force the user to use a completely new password each time. Depending on how that is implemented, the user can just shift the entire password one character left or right and fool the entire mechanism. Mostly this is a game. It is "wily" network administrators against their own users who endeavor to circumvent the network administrators. You'll notice, while being adversaries in this battle, both are missing the true enemy lurking trying to find a way in!
-
The level of mental gymnastics that you're going through to justify being too lazy to change a password is astounding. If you put that much effort into understanding the other side of the argument, you might have a shot at understanding threat modelling.
Eddy Vluggen wrote:
So, one of us goes for a lubber, the other for sterilization :)
No, the only "sterile" computer is one that's powered down. I prefer my systems to be functional.
Eddy Vluggen wrote:
Now you're not building on people, but on a matrix of risc vs. damage. A leak plugged with duct-tape is still a leak.
Sure, but that matrix is based on a continuum of behavior, not a fantasy binary existence. Your analogy is insipid BTW, your attitude is to not attempt to plug the leak at all.
Eddy Vluggen wrote:
(as told by a co-worker, change the password four times, and it accepts the first, even if it is reused),
FYI both pam_cracklib and LAPS can be configured to flag an age on passwords, i.e. no reuse for a set time. Windows 2K+ can sen a minimum password age via GPO. If users can cycle their passwords back to original in your environment, then clearly your security people are out of their depth.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Nathan Minier wrote:
The level of mental gymnastics that you're going through to justify being too lazy to change a password is astounding
Similar to the way you jump to a conclusion? I'd simply demand a different type of lock - never claimed to be against locking or passwords.
Nathan Minier wrote:
your attitude is to not attempt to plug the leak at all.
We never discussed that part; but yes, if it leaks, I'd want a decent plug, not a 30 day rotating duct-tape.
Nathan Minier wrote:
If users can cycle their passwords back to original in your environment, then clearly your security people are out of their depth.
Well, like you, they work with "real" people, and it is about controlling risks there - not about avoiding them :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
they are. But you can always find out how many passwords they look back and compare and change it back. Write a powershell script that does it. say that they only checked the last five. So change it six times and then back to the original. Set it to run at the first of the month. good to go.
To err is human to really mess up you need a computer
-
Nathan Minier wrote:
The level of mental gymnastics that you're going through to justify being too lazy to change a password is astounding
Similar to the way you jump to a conclusion? I'd simply demand a different type of lock - never claimed to be against locking or passwords.
Nathan Minier wrote:
your attitude is to not attempt to plug the leak at all.
We never discussed that part; but yes, if it leaks, I'd want a decent plug, not a 30 day rotating duct-tape.
Nathan Minier wrote:
If users can cycle their passwords back to original in your environment, then clearly your security people are out of their depth.
Well, like you, they work with "real" people, and it is about controlling risks there - not about avoiding them :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
It would be nice if everyone had an embedded x509 hardware token, but that's simply not economically feasible for many organizations. Biometrics are still pretty sketchy and will be for a while yet. Passwords are simply a reality that need to be dealt with, and scoffing at management strategies for them doesn't help anyone.
Eddy Vluggen wrote:
Well, like you, they work with "real" people, and it is about controlling risks there - not about avoiding them :)
Yeah, exactly my point.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
-
ask the clients IT dept to change your email to a forwarder to another email address on a sane system. best is your own domain if you have one - if they moan about security you can honestly say you 100% control access. Myself I registered a domain and pay the annual fees (domain, hosting) and it's only used for my own email (too lazy to do a page so website forever says "under construction.") For a few dollars a month handy coz I can add as many email addresses as I like (including temp for 1 time registration then remove to avoid spam), manage spam filters and even for testing apps that send emails.
Signature ready for installation. Please Reboot now.
-
It would be nice if everyone had an embedded x509 hardware token, but that's simply not economically feasible for many organizations. Biometrics are still pretty sketchy and will be for a while yet. Passwords are simply a reality that need to be dealt with, and scoffing at management strategies for them doesn't help anyone.
Eddy Vluggen wrote:
Well, like you, they work with "real" people, and it is about controlling risks there - not about avoiding them :)
Yeah, exactly my point.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
Nathan Minier wrote:
It would be nice if everyone had an embedded x509 hardware token, but that's simply not economically feasible for many organizations. Biometrics are still pretty sketchy and will be for a while yet.
If you go on a Dutch train you're already forced to use a hardware token.
Nathan Minier wrote:
Passwords are simply a reality that need to be dealt with, and scoffing at management strategies for them doesn't help anyone.
There are safer options than having the plain username/password combo. Scoffing works by the way, and it was for the good of anyone to point out that the medical website I was using is unsafe. Now scoffing alone means you're being a dick - so I also made sure to explain the alternative.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
-
Oh, there are many solutions: one of my favorites is to require a percentage of all letters to change to force the user to use a completely new password each time. Depending on how that is implemented, the user can just shift the entire password one character left or right and fool the entire mechanism. Mostly this is a game. It is "wily" network administrators against their own users who endeavor to circumvent the network administrators. You'll notice, while being adversaries in this battle, both are missing the true enemy lurking trying to find a way in!
Wait, wait... Hold on, if they are salting and hashing the passwords, how can they possibly know if X% of characters changed each time? I mean, you can store the last 10 hashes to compare against, but no good hashing system should give them any possible idea of the number of characters that did or did not change each time. There may be a much bigger problem here than dumb password policy.
-
We have an ISO, which forces us to change password every 3 months and keep history of eight 'ages', and of course it must be a complex password... The only result is that now all manage a text/excel file to keep tracking of the 8 'ages' and complexity... also all creates password based on a pattern... I feel so safe... :-) The first thing I done after the first period is remove this from my user...
Skipper: We'll fix it. Alex: Fix it? How you gonna fix this? Skipper: Grit, spit and a whole lotta duct tape.
-
It's their server, so they're right, so you have to deal with it. It is, however, your right to complain bitterly to whomever will listen.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013Exactly. I've been a contractor (Consultant) for most of my 45 year it IT. Early on I learned two things; 1. Behave like a mercenary, if they want you to kill it, as long as its not illegal, unethical or immoral, kill it. 2. They can pay me now or they'll pay me later, either way I get paid. Every one of my clients were happy with me.
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
If the policy is too strict, then people just write it on a piece of paper and stick it on their monitors. And they usually just substitute one character when they are forced to change it every 8 weeks.
Nish Nishant Consultant Software Architect Ganymede Software Solutions LLC www.ganymedesoftwaresolutions.com
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
A guy I know used to just make the password some phrase, a special character, and the date he changed it. "CaveMan^May102017" for example. It satisfies a lot of the typical requirements.
_____________________________ A logician deducts the truth. A detective inducts the truth. A journalist abducts the truth. Give a man a mug, he drinks for a day. Teach a man to mug...
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
Pass along... Read: Troy Hunt: Passwords Evolved: Authentication Guidance for the Modern Era[^] Or video of same (+ other stuff): Troy Hunt: Weekly update 45[^]
-
One of my clients, with whom I have an email account set up, has a company policy on enforced password changes every month, which drives me nuts. I've tried to connive them that the received wisdom these days from security experts is that this is not a good idea - eg: The problems with forcing regular password expiry - NCSC Site[^] Time to rethink mandatory password changes | Federal Trade Commission[^] but as I'm not really a security expert myself perhaps I shouldn't be pushing this... anyway, they aren't listening to me.... but it's a pain in the derrierre .... am I right, or are they?
Both. Password management is more complicated than that - and it inevitably suffers from being distilled down to what the end user can understand. Password length is usually set to a period and length that exceeds the time a given computer can brute force the password. In other words - if a reasonable adversary can crack the password on a fast PC in 30 days, then either the password needs to be longer, or you need to change it sooner. Of course - explaining this to people can be complicated - and enforcing complex rules for passwords like, if it's 8 characters it needs to be changed every 10 days, and if it's 9 characters then every 30 are also not possible on most systems. So people try to generalize. If you explain to them for example that you have 15 character passwords, and cracking them brute force is just not practical - you have processes to change them when key people who know the password leave, (or if the crypto were to be broken), then perhaps you could have your approach risk accepted. In practice this will probably save you a lot of effort - and you will end up with better passwords as well. Hope that helps.
