While it would be nice, it's also expensive. Good 2fa imposes a cost, and losing a smart card invokes a *lot* more pain than forgetting a password.
Kurt On Wed, Apr 27, 2016 at 5:31 PM, Jack Kramer <j...@smalltype.net> wrote: > Honestly, any standard requiring frequent change (pretty much anything more > often than 6mo to a year) is going to produce post-it behaviors. You know, > where the password is on a post-it under the keyboard. > > I would rather see more places implement 2-factor authentication--preferably > with smart cards so you can also guarantee a machine will lock up when the > user leaves it (assuming they take their card at least--but that's > encouraged by also tying the cards to access control so you need it for > doors and the like). > > Sent from my iPhone > > On Apr 27, 2016, at 8:15 PM, Sean Martin <seanmarti...@gmail.com> wrote: > > Great timing for this thread. > > A recently updated password policy has sparked some debate at %dayjob%. It > contains some of the expected requirements: > > - unique per account > - varying length requirements based on account type (domain user, > administrative user, etc.) > - don't include userID or personal information (birthday, phone number, SS#, > etc.) > - standard complexity requirements (uppercase/lowercase/numerical/special) > > ...then some additional requirements, which are raising some eyebrows: > > - must not contain a dictionary word > - must not contain repetitive or sequential characters > - must not be derived from publicly searchable internet or social media > information (favorite sports team, names of friends or family, schools, > restaurants, etc.) > > While I understand the intent, my opinion is that no typical end-user is > going to truly understand what these requirements mean, or will simply find > them too difficult to comply with. Our current expiration policy is 90 days. > I believe the end users would rather deal with more frequent password > changes than have to adhere to the above stated policy. > > Interested in other opinions.... > > - Sean > > On Wed, Apr 27, 2016 at 3:33 PM, Micheal Espinola Jr > <michealespin...@gmail.com> wrote: >> >> Thanks. 100% true story + federal investigation. State lines were >> crossed, and millions of dollars were at stake. >> >> -- >> Espi >> >> >> On Wed, Apr 27, 2016 at 2:39 PM, Dave Lum <l...@ochin.org> wrote: >>> >>> That’s a perfect example Michael. >>> >>> >>> >>> Or, let’s say I am in IT at Target, maybe later I move into IT at an HVAC >>> company that has VPN access to Target (IT guys working at companies that do >>> business with their former employers? Never happens right?). Maybe my PC at >>> the HVAC place get compromised and since Target never disabled my account >>> and I use the same password at %newjob% as I did %oldjob%, a simple hop over >>> VPN now leverages the access I had at Target… >>> >>> >>> >>> Except what actually happened with Target was more *harder* than what I >>> described above. >>> >>> >>> >>> IMO any place that doesn’t require a password expiration of any kind is >>> likely (exceptions to this, sure) the same place that doesn’t have a process >>> for disabling all the access former employees have. >>> >>> >>> >>> Dave >>> >>> >>> >>> From: listsadmin@lists.myitforum.com >>> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Micheal Espinola Jr >>> Sent: Tuesday, April 26, 2016 6:31 PM >>> To: ntsys...@lists.myitforum.com >>> Subject: Re: [NTSysADM] RE: Password expiring debate on patch management >>> >>> >>> >>> Old admin knows many management passwords >>> Old admin goes to work for competitor >>> Company and competitor are up for same contracts >>> Old admin remotes into company to look at emails and presentation >>> materials >>> Competitor starts taking business from company by usurping sales pitches >>> in very specific ways >>> I get hired 2+ years after old admin in question >>> I review remote logs to establish behavioral patterns >>> I see odd logon behavior and trace repetitive IPs >>> I trace IPs to competitor as well as old admin specifically >>> >>> >>> >>> I am Jacks complete lack of surprise when management doesnt change their >>> password and uses the same passwords for many things. >>> >>> >>> >>> >>> >>> >>> -- >>> Espi >>> >>> >>> >>> >>> >>> On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim >>> <kennedy...@elyriaschools.org> wrote: >>> >>> >>> >>> "Even six months is far better than never" >>> >>> >>> >>> Why? >>> >>> >>> >>> ________________________________ >>> >>> From: listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com] on >>> behalf of Dave Lum [l...@ochin.org] >>> Sent: Monday, April 25, 2016 6:58 PM >>> To: ntsys...@lists.myitforum.com >>> Subject: [NTSysADM] Password expiring debate on patch management >>> >>> Anyone see the debate on the Patch management list, driven by this: >>> https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry >>> >>> >>> >>> I don’t even know how it’s a debate other than the desired frequency (no >>> one-size-fits-all on that IMO). Even six months is far better than never. >>> With expiring passwords you at bare minimum mitigate employee’s that leave. >>> >>> >>> >>> David Lum >>> >>> Systems Administrator III >>> P: 503.943.2500 >>> E: l...@ochin.org >>> A: 1881 SW Naito Parkway, Portland, OR 97201 >>> >>> >>> <image001.png><image002.png><image003.png> www.ochin.org >>> <image004.jpg> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Attention: Information contained in this message and or attachments is >>> intended only for the recipient(s) named above and may contain confidential >>> and or privileged material that is protected under State or Federal law. If >>> you are not the intended recipient, any disclosure, copying, distribution or >>> action taken on it is prohibited. If you believe you have received this >>> email in error, please contact the sender with a copy to >>> complia...@ochin.org, delete this email and destroy all copies. >>> >>> >>> >>> Attention: Information contained in this message and or attachments is >>> intended only for the recipient(s) named above and may contain confidential >>> and or privileged material that is protected under State or Federal law. If >>> you are not the intended recipient, any disclosure, copying, distribution or >>> action taken on it is prohibited. If you believe you have received this >>> email in error, please contact the sender with a copy to >>> complia...@ochin.org, delete this email and destroy all copies. >> >> >
