Thank you to all who have replied thus far.
This logic is correct. If an attacker manages to compromise an account
undetected and the pw never expires, they have free reign forever.
I have previously read most of the "security myth" documents that people
have linked too and generally disagree with the points made in them.
I am all to aware of the human factor when it comes to authentication so I
crafted my policy accordingly. I do not disallow writing passwords on
post-its, but instead ask that they keep the post-it in a purse or wallet.
And also, having read this one for the first time (
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/def
ault.aspx), I disagree with most every point made in it. :)
Essentially what this discussion comes down to is a difference between
system controls and user education/policy enforcement. If both are in
place, things should be smooth, but one without the other will result in an
administration nightmare.
I'm thinking I may adjust the expiry time (a number of respondents say that
they keep it around 45 days) however I believe most of these arguments
against expiring all together are flawed and I will continue to abide by the
CISSP training and NSA best practice docs.
On an unrelated note... I get asked this a lot. :) The support system that
I use at http://infotech.prl.msu.edu is Kayako eSupport (
http://kayako.com/esupport.php). It is very versatile and a purchased edu
license is $250 and well worth the cost. It also has an e-mail parser to
generate tickets based on emails sent to a support address.
Thanks for the info and keep it coming. :)
,--------------------------------------------+-----------------------------,
| Bryan Murphy, CISSP | [log in to unmask] |
| Information Technology Coordinator | 517.432.5939 w |
| MSU Plant Research Lab & Plant Biology | 517.355.1926 fax |
| 132a Plant Biology Bldg. | http://infotech.prl.msu.edu |
'--------------------------------------------+-----------------------------'
-----------[ 5/16/06 12:13 PM [log in to unmask] ]--------------
> At one point I shared your concern regarding password changes. The
> thought process goes like this: If I have a password, and someone begins
> to crack the password, I am only giving them a small area of time before
> the password changes, and they have to start over. This is a valid
> statement if computers are the only concern (i.e. computer accounts in
> Active Directory). However, if people are involved then you have another
> set of problems. The biggest problem is that most people have is that
> they cannot remember their password if they have to change it often. If
> you have a password set to expire every 30 days, then people will then
> write down the password (because they cannot remember the password). You
> have then changed the password from "something you know" to "something
> you have". Since people tend to place important items near where they
> use them this becomes a problem.
>
> Instead, I tend to ask users to use "pass phrases" instead of
> "passwords". The password complexity increases with length, and thus you
> can increase period between password changes without problems regarding
> brute force password guessing. Pass phrases are usually 1 sentence in
> length and include spaces and punctuation. These are easy to remember,
> and difficult to crack. The only difficulty is that MSU Net passwords
> cannot use the space character (yet). For reference see
> http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths
> /default.aspx. They have some different examples, but the idea is the
> same.
>
> FYI, our passwords expire every 180 days.
>
> +-------------------------------------------+
> | Michael Surato |
> | Resource Center for Persons |
> | with Disabilities |
> | Michigan State University |
> | 120 Bessey Hall |
> | East Lansing, MI 48824 |
> | Voice: (517) 353-9643 Fax: (517) 432-3191 |
> +-------------------------------------------+
>
>
>> -----Original Message-----
>> From: MSU Network Administrators Group
>> [mailto:[log in to unmask]] On Behalf Of Bryan Murphy
>> Sent: Tuesday, May 16, 2006 11:47 AM
>> To: [log in to unmask]
>> Subject: [MSUNAG] Password Expiration Policies
>>
>> Hi Guys,
>>
>> I am about to implement a password policy that calls for
>> password expiration every 30 days. I have run my policy by a
>> small group of faculty and found that this (as I suspected)
>> is the only point of contention in the policy.
>>
>> From a security stand point this is absolutely essential for
>> a number of reasons, and I have explained these reasons but
>> still get guff.
>>
>> For some reason stating "department x has this same policy"
>> or "x % of the departments on campus already do this" works
>> far better than logical explanations... So I was wondering if
>> anyone in NAG'Land would mind sharing what they are doing for
>> departmental password policies.
>>
>> Thank you.
>>
>> ,--------------------------------------------+----------------
>> -------------,
>> | Bryan Murphy, CISSP |
>> [log in to unmask] |
>> | Information Technology Coordinator |
>> 517.432.5939 w |
>> | MSU Plant Research Lab & Plant Biology |
>> 517.355.1926 fax |
>> | 132a Plant Biology Bldg. |
>> http://infotech.prl.msu.edu |
>> '--------------------------------------------+----------------
>> -------------'
>>
|