At one point I shared your concern regarding password changes. The
thought process goes like this: If I have a password, and someone begins
to crack the password, I am only giving them a small area of time before
the password changes, and they have to start over. This is a valid
statement if computers are the only concern (i.e. computer accounts in
Active Directory). However, if people are involved then you have another
set of problems. The biggest problem is that most people have is that
they cannot remember their password if they have to change it often. If
you have a password set to expire every 30 days, then people will then
write down the password (because they cannot remember the password). You
have then changed the password from "something you know" to "something
you have". Since people tend to place important items near where they
use them this becomes a problem.
Instead, I tend to ask users to use "pass phrases" instead of
"passwords". The password complexity increases with length, and thus you
can increase period between password changes without problems regarding
brute force password guessing. Pass phrases are usually 1 sentence in
length and include spaces and punctuation. These are easy to remember,
and difficult to crack. The only difficulty is that MSU Net passwords
cannot use the space character (yet). For reference see
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths
/default.aspx. They have some different examples, but the idea is the
same.
FYI, our passwords expire every 180 days.
+-------------------------------------------+
| Michael Surato |
| Resource Center for Persons |
| with Disabilities |
| Michigan State University |
| 120 Bessey Hall |
| East Lansing, MI 48824 |
| Voice: (517) 353-9643 Fax: (517) 432-3191 |
+-------------------------------------------+
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]] On Behalf Of Bryan Murphy
> Sent: Tuesday, May 16, 2006 11:47 AM
> To: [log in to unmask]
> Subject: [MSUNAG] Password Expiration Policies
>
> Hi Guys,
>
> I am about to implement a password policy that calls for
> password expiration every 30 days. I have run my policy by a
> small group of faculty and found that this (as I suspected)
> is the only point of contention in the policy.
>
> From a security stand point this is absolutely essential for
> a number of reasons, and I have explained these reasons but
> still get guff.
>
> For some reason stating "department x has this same policy"
> or "x % of the departments on campus already do this" works
> far better than logical explanations... So I was wondering if
> anyone in NAG'Land would mind sharing what they are doing for
> departmental password policies.
>
> Thank you.
>
> ,--------------------------------------------+----------------
> -------------,
> | Bryan Murphy, CISSP |
> [log in to unmask] |
> | Information Technology Coordinator |
> 517.432.5939 w |
> | MSU Plant Research Lab & Plant Biology |
> 517.355.1926 fax |
> | 132a Plant Biology Bldg. |
> http://infotech.prl.msu.edu |
> '--------------------------------------------+----------------
> -------------'
>
|
