Appreciate all of the feedback, and agree with most everything that's been stated. The "debate" up to this point has been informal between just a few of us, I'm sure there will be an opportunity to discuss more formally sometime in the near future. These are the same folks that requested the passwords on all disabled accounts be changed on a routine basis, so I wrote a powershell script to do that. Word of caution, make sure the "krbtgt" account is excluded if you ever attempt something similar. :)
- Sean On Thu, Apr 28, 2016 at 10:20 AM, Mark Gottschalk <mgo...@2roads.com> wrote: > *Security at the expense of usability comes at the expense of security.* > > Many users will write down passwords that must meet the requirements you > described. There is no way that is not going to happen. > > As pointed out earlier, the first four requirements are sound and > logical. The others will cause ongoing problems and probably result in > reduced security because they are so unfriendly to humans. > > Another password creation/memory trick to teach users is to say a song > lyric or famous quote/sentence in their head and use the first letter of > each word, mixing in caps and numbers if needed. > > "It was the best of times, it was the worst of times" = Iwtb0tIwtw0t > "I saw her today at the reception, a glass of wine in her hand" = > IshtatragOwihh > > Easy to remember and reasonably complex. But it gets annoying for long > passwords and would be better, and more secure, just to type a sentence, if > the system allows that. > > Maybe roll out a required password manager program for everyone? There > are some that are centrally controllable. > > -- Mark > > > > From: Sean Martin <seanmarti...@gmail.com> > To: "ntsys...@lists.myitforum.com" <ntsys...@lists.myitforum.com> > Date: 04/27/2016 05:13 PM > Subject: Re: [NTSysADM] RE: Password expiring debate on patch > management > Sent by: <listsadmin@lists.myitforum.com> > ------------------------------ > > > > Great timing for this thread. > > A recently updated password policy has sparked some debate at %dayjob%. It > contains some of the expected requirements: > > - unique per account > - varying length requirements based on account type (domain user, > administrative user, etc.) > - don't include userID or personal information (birthday, phone number, > SS#, etc.) > - standard complexity requirements (uppercase/lowercase/numerical/special) > > ...then some additional requirements, which are raising some eyebrows: > > - must not contain a dictionary word > - must not contain repetitive or sequential characters > - must not be derived from publicly searchable internet or social media > information (favorite sports team, names of friends or family, schools, > restaurants, etc.) > > While I understand the intent, my opinion is that no typical end-user is > going to truly understand what these requirements mean, or will simply find > them too difficult to comply with. Our current expiration policy is 90 > days. I believe the end users would rather deal with more frequent password > changes than have to adhere to the above stated policy. > > Interested in other opinions.... > > - Sean > > On Wed, Apr 27, 2016 at 3:33 PM, Micheal Espinola Jr < > *michealespin...@gmail.com* <michealespin...@gmail.com>> wrote: > Thanks. 100% true story + federal investigation. State lines were > crossed, and millions of dollars were at stake. > > -- > Espi > > > On Wed, Apr 27, 2016 at 2:39 PM, Dave Lum <*l...@ochin.org* > <l...@ochin.org>> wrote: > That’s a perfect example Michael. > > > > Or, let’s say I am in IT at Target, maybe later I move into IT at an HVAC > company that has VPN access to Target (IT guys working at companies that do > business with their former employers? Never happens right?). Maybe my PC at > the HVAC place get compromised and since Target never disabled my account > and I use the same password at %newjob% as I did %oldjob%, a simple hop > over VPN now leverages the access I had at Target… > > > > Except what actually happened with Target was more **harder** than what I > described above. > > > > IMO any place that doesn’t require a password expiration of any kind is > likely (exceptions to this, sure) the same place that doesn’t have a > process for disabling all the access former employees have. > > > > Dave > > > > *From:* *listsadmin@lists.myitforum.com* <listsadmin@lists.myitforum.com> > [mailto:*listsadmin@lists.myitforum.com* <listsadmin@lists.myitforum.com>] > *On Behalf Of *Micheal Espinola Jr > * Sent:* Tuesday, April 26, 2016 6:31 PM > * To:* *ntsys...@lists.myitforum.com* <ntsys...@lists.myitforum.com> > * Subject:* Re: [NTSysADM] RE: Password expiring debate on patch > management > > > 1. Old admin knows many management passwords > 2. Old admin goes to work for competitor > 3. Company and competitor are up for same contracts > 4. Old admin remotes into company to look at emails and > presentation materials > 5. Competitor starts taking business from company by usurping > sales pitches in very specific ways > 6. I get hired 2+ years after old admin in question > 7. I review remote logs to establish behavioral patterns > 8. I see odd logon behavior and trace repetitive IPs > 9. I trace IPs to competitor as well as old admin specifically > > > > I am Jacks complete lack of surprise when management doesnt change their > password and uses the same passwords for many things. > > > > > > -- > Espi > > > > > > On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim < > *kennedy...@elyriaschools.org* <kennedy...@elyriaschools.org>> wrote: > > > > "Even six months is far better than never" > > > > Why? > > > ------------------------------ > > *From:* *listsadmin@lists.myitforum.com* <listsadmin@lists.myitforum.com> > [*listsadmin@lists.myitforum.com* <listsadmin@lists.myitforum.com>] on > behalf of Dave Lum [*l...@ochin.org* <l...@ochin.org>] > * Sent:* Monday, April 25, 2016 6:58 PM > * To:* *ntsys...@lists.myitforum.com* <ntsys...@lists.myitforum.com> > * Subject:* [NTSysADM] Password expiring debate on patch management > > Anyone see the debate on the Patch management list, driven by this: > *https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry* > <https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry> > > > > I don’t even know how it’s a debate other than the desired frequency (no > one-size-fits-all on that IMO). Even six months is far better than never. > With expiring passwords you at bare minimum mitigate employee’s that leave. > > > > *David Lum* > > > *Systems Administrator III P:* *503.943.2500* <503.943.2500> > * E:* *l...@ochin.org* <l...@ochin.org> > * A:** 1881 SW Naito Parkway, Portland, OR 97201* > > > [image: Facebook Link] <https://www.facebook.com/OCHINinc>[image: Twitter > Link] <https://twitter.com/ochininc>[image: Linkedin Link] > <http://www.linkedin.com/company/ochin> *www.ochin.org* > <https://www.ochin.org/> > [image: OCHIN email] > > > > > > > > > > > > Attention: Information contained in this message and or attachments is > intended only for the recipient(s) named above and may contain confidential > and or privileged material that is protected under State or Federal law. If > you are not the intended recipient, any disclosure, copying, distribution > or action taken on it is prohibited. If you believe you have received this > email in error, please contact the sender with a copy to > *complia...@ochin.org* <complia...@ochin.org>, delete this email and > destroy all copies. > > > > Attention: Information contained in this message and or attachments is > intended only for the recipient(s) named above and may contain confidential > and or privileged material that is protected under State or Federal law. If > you are not the intended recipient, any disclosure, copying, distribution > or action taken on it is prohibited. If you believe you have received this > email in error, please contact the sender with a copy to > *complia...@ochin.org* <complia...@ochin.org>, delete this email and > destroy all copies. > > > >
