Ask them one simple question. Where do they think they are going to find a password filter that will adhere to and enforce all that nonsense?
If you can’t enforce it in silicon, it sure isn’t happening in carbon reliably. From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Sean Martin Sent: Thursday, April 28, 2016 11:58 AM To: ntsys...@lists.myitforum.com Subject: [spam] [dkim-failure] Re: [NTSysADM] RE: Password expiring debate on patch management Alert: This message originated outside of PG&E. Use caution when opening attachments, clicking links or responding to requests for information. ************************************* Appreciate all of the feedback, and agree with most everything that's been stated. The "debate" up to this point has been informal between just a few of us, I'm sure there will be an opportunity to discuss more formally sometime in the near future. These are the same folks that requested the passwords on all disabled accounts be changed on a routine basis, so I wrote a powershell script to do that. Word of caution, make sure the "krbtgt" account is excluded if you ever attempt something similar. :) - Sean On Thu, Apr 28, 2016 at 10:20 AM, Mark Gottschalk <mgo...@2roads.com<mailto:mgo...@2roads.com>> wrote: Security at the expense of usability comes at the expense of security. Many users will write down passwords that must meet the requirements you described. There is no way that is not going to happen. As pointed out earlier, the first four requirements are sound and logical. The others will cause ongoing problems and probably result in reduced security because they are so unfriendly to humans. Another password creation/memory trick to teach users is to say a song lyric or famous quote/sentence in their head and use the first letter of each word, mixing in caps and numbers if needed. "It was the best of times, it was the worst of times" = Iwtb0tIwtw0t "I saw her today at the reception, a glass of wine in her hand" = IshtatragOwihh Easy to remember and reasonably complex. But it gets annoying for long passwords and would be better, and more secure, just to type a sentence, if the system allows that. Maybe roll out a required password manager program for everyone? There are some that are centrally controllable. -- Mark From: Sean Martin <seanmarti...@gmail.com<mailto:seanmarti...@gmail.com>> To: "ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>" <ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>> Date: 04/27/2016 05:13 PM Subject: Re: [NTSysADM] RE: Password expiring debate on patch management Sent by: <listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> ________________________________ Great timing for this thread. A recently updated password policy has sparked some debate at %dayjob%. It contains some of the expected requirements: - unique per account - varying length requirements based on account type (domain user, administrative user, etc.) - don't include userID or personal information (birthday, phone number, SS#, etc.) - standard complexity requirements (uppercase/lowercase/numerical/special) ...then some additional requirements, which are raising some eyebrows: - must not contain a dictionary word - must not contain repetitive or sequential characters - must not be derived from publicly searchable internet or social media information (favorite sports team, names of friends or family, schools, restaurants, etc.) While I understand the intent, my opinion is that no typical end-user is going to truly understand what these requirements mean, or will simply find them too difficult to comply with. Our current expiration policy is 90 days. I believe the end users would rather deal with more frequent password changes than have to adhere to the above stated policy. Interested in other opinions.... - Sean On Wed, Apr 27, 2016 at 3:33 PM, Micheal Espinola Jr <michealespin...@gmail.com<mailto:michealespin...@gmail.com>> wrote: Thanks. 100% true story + federal investigation. State lines were crossed, and millions of dollars were at stake. -- Espi On Wed, Apr 27, 2016 at 2:39 PM, Dave Lum <l...@ochin.org<mailto:l...@ochin.org>> wrote: That’s a perfect example Michael. Or, let’s say I am in IT at Target, maybe later I move into IT at an HVAC company that has VPN access to Target (IT guys working at companies that do business with their former employers? Never happens right?). Maybe my PC at the HVAC place get compromised and since Target never disabled my account and I use the same password at %newjob% as I did %oldjob%, a simple hop over VPN now leverages the access I had at Target… Except what actually happened with Target was more *harder* than what I described above. IMO any place that doesn’t require a password expiration of any kind is likely (exceptions to this, sure) the same place that doesn’t have a process for disabling all the access former employees have. Dave From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] On Behalf Of Micheal Espinola Jr Sent: Tuesday, April 26, 2016 6:31 PM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: Re: [NTSysADM] RE: Password expiring debate on patch management 1. Old admin knows many management passwords 2. Old admin goes to work for competitor 3. Company and competitor are up for same contracts 4. Old admin remotes into company to look at emails and presentation materials 5. Competitor starts taking business from company by usurping sales pitches in very specific ways 6. I get hired 2+ years after old admin in question 7. I review remote logs to establish behavioral patterns 8. I see odd logon behavior and trace repetitive IPs 9. I trace IPs to competitor as well as old admin specifically I am Jacks complete lack of surprise when management doesnt change their password and uses the same passwords for many things. -- Espi On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim <kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote: "Even six months is far better than never" Why? ________________________________ From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] on behalf of Dave Lum [l...@ochin.org<mailto:l...@ochin.org>] Sent: Monday, April 25, 2016 6:58 PM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: [NTSysADM] Password expiring debate on patch management Anyone see the debate on the Patch management list, driven by this: https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.cesg.gov.uk_articles_problems-2Dforcing-2Dregular-2Dpassword-2Dexpiry&d=BQMFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=K7DxTLOd09cB6iTyYPB3MTSUmYGyCi07i2SNfaFh1SQ&s=D8st0EaeOuLK-WlFCV_RgJSZPmPFnlqabZHK5KlXKoM&e=> I don’t even know how it’s a debate other than the desired frequency (no one-size-fits-all on that IMO). Even six months is far better than never. With expiring passwords you at bare minimum mitigate employee’s that leave. David Lum Systems Administrator III P: 503.943.2500<tel:503.943.2500> E: l...@ochin.org<mailto:l...@ochin.org> A: 1881 SW Naito Parkway, Portland, OR 97201 [Facebook Link]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_OCHINinc&d=BQMFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=K7DxTLOd09cB6iTyYPB3MTSUmYGyCi07i2SNfaFh1SQ&s=I-raryPo5viBZBSO5aQLGUH5aDfYcPfypPSZnZ47yDM&e=>[Twitter Link]<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_ochininc&d=BQMFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=K7DxTLOd09cB6iTyYPB3MTSUmYGyCi07i2SNfaFh1SQ&s=_go4YXryPJ9cjjqL-OafIn7wRVtrcfbTqR9VIk2qtEY&e=>[Linkedin Link]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company_ochin&d=BQMFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=K7DxTLOd09cB6iTyYPB3MTSUmYGyCi07i2SNfaFh1SQ&s=YzAKbkxm6mcX2ph2uP2JtI5zRsCIsX16_TvzINSW8PM&e=> www.ochin.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ochin.org_&d=BQMFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=K7DxTLOd09cB6iTyYPB3MTSUmYGyCi07i2SNfaFh1SQ&s=chbLz4JmzQUUvuaYkPP78cFtLfbWEeY-OWhtHLqOgOQ&e=> [OCHIN email] Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and destroy all copies. Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and destroy all copies.
