One thing that I would recommend that I am not seeing is setting a minimum
password age to be in the 1-2 week range. If you don't do this, you will get
users who keep changing passwords until they cycle through the password
history and arrive back to the same one, even with a one day delay.
Personally, I find a minimum password length in the 7-8 character range
(with complexity requirements) to be more than enough to cover yourself from
a brute force attack, as even with current GPU hashing its going to be
measured in months to years.
The far more likely scenario, the one that we've seen dozens of times in the
last year, is users registering website accounts to their work email address
and using the same password on both account. Your AD is going to salt and
hash your passwords properly, but external websites are a complete unknown
and *they keep doing it wrong* and you find dumps of email/password combos
all over pastebin. Setting a password expiration policy helps get using
users out of using the same password for everything, starting with their
work account. This idea of having a "favorite password" is terrifying from
an exposure as more often than not everything is registered and
authenticated by the same email address. A single endpoint entrusted with
that credential set getting compromised opens the floodgates in that situation.
And if your still running XP systems, don't forget to disable LanManager
hashes in your policy and force a change to purge them out.
|