+1 I have found using examples to be a huge difference. Telling someone upper case + lower + number + special character + 12 character minimum sounds far more intimidating than "A properly formatted sentence that includes a number." It's hard to have a sentence with less than 12 characters...Using examples makes it easy A 24 pack of beer? Bring it! My dog ate your 2 cats?
Also, when onboarding, a new user whose assigned password is a proper sentence clues them in. In some cases, knowing what the employee likes (via LinkedIn or other info) you can set the password to include a hobby of theirs, which helps. "I'd love to go skiing 24x7!" or "Seattle Seahawks are #1!" Are there flaws in using a sentence with actual dictionary words? Sure, but tell them they can change " My dog ate your 2 cats?" to "My d0g ate your 2 cats, again?" at password change time and you are teaching them good habits. "when changing your passphrase, add a word and change any letter to a number." Over time it becomes part of the culture, meaning less inertia as new hires come onboard. Also, users help other users instead of all users complaining about passwords. Baby steps... The occasional downside is there are legacy systems that don't accept passwords over 12 characters long...but that just means the user has to pick something DIFFERENT. Of couse, depending on environment, this becomes a pain in the a$$... Dave -----Original Message----- From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Wednesday, April 27, 2016 7:32 PM To: ntsysadm <ntsys...@lists.myitforum.com> Subject: Re: [NTSysADM] RE: Password expiring debate on patch management While it would be nice, it's also expensive. Good 2fa imposes a cost, and losing a smart card invokes a *lot* more pain than forgetting a password. Kurt On Wed, Apr 27, 2016 at 5:31 PM, Jack Kramer <j...@smalltype.net> wrote: > Honestly, any standard requiring frequent change (pretty much anything > more often than 6mo to a year) is going to produce post-it behaviors. > You know, where the password is on a post-it under the keyboard. > > I would rather see more places implement 2-factor > authentication--preferably with smart cards so you can also guarantee > a machine will lock up when the user leaves it (assuming they take > their card at least--but that's encouraged by also tying the cards to > access control so you need it for doors and the like). > > Sent from my iPhone > > On Apr 27, 2016, at 8:15 PM, Sean Martin <seanmarti...@gmail.com> wrote: > > Great timing for this thread. > > A recently updated password policy has sparked some debate at > %dayjob%. It contains some of the expected requirements: > > - unique per account > - varying length requirements based on account type (domain user, > administrative user, etc.) > - don't include userID or personal information (birthday, phone > number, SS#, > etc.) > - standard complexity requirements > (uppercase/lowercase/numerical/special) > > ...then some additional requirements, which are raising some eyebrows: > > - must not contain a dictionary word > - must not contain repetitive or sequential characters > - must not be derived from publicly searchable internet or social > media information (favorite sports team, names of friends or family, > schools, restaurants, etc.) > > While I understand the intent, my opinion is that no typical end-user > is going to truly understand what these requirements mean, or will > simply find them too difficult to comply with. Our current expiration policy > is 90 days. > I believe the end users would rather deal with more frequent password > changes than have to adhere to the above stated policy. > > Interested in other opinions.... > > - Sean > > On Wed, Apr 27, 2016 at 3:33 PM, Micheal Espinola Jr > <michealespin...@gmail.com> wrote: >> >> Thanks. 100% true story + federal investigation. State lines were >> crossed, and millions of dollars were at stake. >> >> -- >> Espi >> >> >> On Wed, Apr 27, 2016 at 2:39 PM, Dave Lum <l...@ochin.org> wrote: >>> >>> That’s a perfect example Michael. >>> >>> >>> >>> Or, let’s say I am in IT at Target, maybe later I move into IT at an >>> HVAC company that has VPN access to Target (IT guys working at >>> companies that do business with their former employers? Never >>> happens right?). Maybe my PC at the HVAC place get compromised and >>> since Target never disabled my account and I use the same password >>> at %newjob% as I did %oldjob%, a simple hop over VPN now leverages >>> the access I had at Target… >>> >>> >>> >>> Except what actually happened with Target was more *harder* than >>> what I described above. >>> >>> >>> >>> IMO any place that doesn’t require a password expiration of any kind >>> is likely (exceptions to this, sure) the same place that doesn’t >>> have a process for disabling all the access former employees have. >>> >>> >>> >>> Dave >>> >>> >>> >>> From: listsadmin@lists.myitforum.com >>> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Micheal >>> Espinola Jr >>> Sent: Tuesday, April 26, 2016 6:31 PM >>> To: ntsys...@lists.myitforum.com >>> Subject: Re: [NTSysADM] RE: Password expiring debate on patch >>> management >>> >>> >>> >>> Old admin knows many management passwords Old admin goes to work for >>> competitor Company and competitor are up for same contracts Old >>> admin remotes into company to look at emails and presentation >>> materials Competitor starts taking business from company by usurping >>> sales pitches in very specific ways I get hired 2+ years after old >>> admin in question I review remote logs to establish behavioral >>> patterns I see odd logon behavior and trace repetitive IPs I trace >>> IPs to competitor as well as old admin specifically >>> >>> >>> >>> I am Jacks complete lack of surprise when management doesnt change >>> their password and uses the same passwords for many things. >>> >>> >>> >>> >>> >>> >>> -- >>> Espi >>> >>> >>> >>> >>> >>> On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim >>> <kennedy...@elyriaschools.org> wrote: >>> >>> >>> >>> "Even six months is far better than never" >>> >>> >>> >>> Why? >>> >>> >>> >>> ________________________________ >>> >>> From: listsadmin@lists.myitforum.com >>> [listsadmin@lists.myitforum.com] on behalf of Dave Lum >>> [l...@ochin.org] >>> Sent: Monday, April 25, 2016 6:58 PM >>> To: ntsys...@lists.myitforum.com >>> Subject: [NTSysADM] Password expiring debate on patch management >>> >>> Anyone see the debate on the Patch management list, driven by this: >>> https://www.cesg.gov.uk/articles/problems-forcing-regular-password-e >>> xpiry >>> >>> >>> >>> I don’t even know how it’s a debate other than the desired frequency >>> (no one-size-fits-all on that IMO). Even six months is far better than >>> never. >>> With expiring passwords you at bare minimum mitigate employee’s that leave. >>> >>> >>> >>> David Lum >>> >>> Systems Administrator III >>> P: 503.943.2500 >>> E: l...@ochin.org >>> A: 1881 SW Naito Parkway, Portland, OR 97201 >>> >>> >>> <image001.png><image002.png><image003.png> www.ochin.org >>> <image004.jpg> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Attention: Information contained in this message and or attachments >>> is intended only for the recipient(s) named above and may contain >>> confidential and or privileged material that is protected under >>> State or Federal law. If you are not the intended recipient, any >>> disclosure, copying, distribution or action taken on it is >>> prohibited. If you believe you have received this email in error, >>> please contact the sender with a copy to complia...@ochin.org, delete this >>> email and destroy all copies. >>> >>> >>> >>> Attention: Information contained in this message and or attachments >>> is intended only for the recipient(s) named above and may contain >>> confidential and or privileged material that is protected under >>> State or Federal law. If you are not the intended recipient, any >>> disclosure, copying, distribution or action taken on it is >>> prohibited. If you believe you have received this email in error, >>> please contact the sender with a copy to complia...@ochin.org, delete this >>> email and destroy all copies. >> >> >
