 |
 |
Password expiration is not nearly as useful for limiting exposed passwords as it is usually assumed to be. A very, very high proportion of people subjected to password expiration policies merely increment a number at the end of the same password. Any hacker seeing the password Bananas!5 upon authentication failure will immediately try Bananas!6, and be successful. Users will always bypass (imperfect) password policies until we move to two-factor authentication. Brian Hoort -----Original Message----- From: Cooke, Tony [mailto:[log in to unmask]] Sent: Friday, September 28, 2012 3:55 PM To: [log in to unmask] Subject: Re: [MSUNAG] AD Domain Password Policy Maybe I'm reading too far into it, but it sounds like you simply oppose password expiration. That's not surprising, since it is a contentious topic. We decided to implement password expiration since doing so mitigates exposed passwords such that attacker access isn't perpetual. We also chose a reasonably long duration as to not encourage bad password habits. Is it fool proof? Of course not. As you pointed out, rotating or incrementing passwords are ways users can defeat the usefulness of the policy. At the same time, they could also willfully expose their password, and there's not much we can do about it. In my opinion, the best we can do is to encourage good password hygiene while trying not to encourage bad password hygiene (as these are often at odds with each other). -Tony -----Original Message----- From: David McFarlane [mailto:[log in to unmask]] Sent: Friday, September 28, 2012 1:18 PM To: [log in to unmask] Subject: Re: [MSUNAG] AD Domain Password Policy Wow, so your users have to cycle through 24 passwords to get back to the one they like. Do you prohibit rapid successive password changes, or can they sit down and just make 24 changes in a row to get back to their favored password (I have heard of users doing this)? Do users know that you remember only 24 past passwords, so they can plan this bit of subterfuge? How many of them simply increment a number in their password, e.g., password--01, password--02, ..., password--24, password--01? I might do that myself under those circumstances. Glad to see no one imposes a maximum length, I hear that spells trouble. -- dkm At 9/28/2012 12:02 PM Friday, Cooke, Tony wrote: >Passwords Remembered: 24 >Max Age: 365 >Min Age: 0 >Min Length: 12 >Complexity: Yes > >Tony Cooke >The Eli Broad College of Business >Michigan State University ><mailto:[log in to unmask]>[log in to unmask] >517.884.1592 > > > >From: Walters, Mike [mailto:[log in to unmask]] >Sent: Friday, September 28, 2012 11:46 AM >To: [log in to unmask] >Subject: [MSUNAG] FW: AD Domain Password Policy > >For those running MS AD, I was wondering what you are doing for your >end user password policy. > >Example: > >Passwords Remembered: 5 >Max Age: 90 >Min Age: 1 >Min Length: 8 >Complexity: Yes > >Thanks! > >Mike Walters, MCSA >Network Services Manager >ANR Technology Services >Michigan State University >446. W. Circle Dr >Rm 221, Agriculture Hall >East Lansing, Michigan 48824 >ph. 517.353.4890 x172 ><mailto:[log in to unmask]>[log in to unmask]