My thoughts after two weeks on this is that I need 12 beers tonight. Everyone has their opinion on this and all are relevant to them. I have agreed with more of what has been written than I have disagreed with. At the end of the day it comes down to the users following policy, for me anyways. Now about those beers!
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Friday, April 29, 2016 11:41 AM To: ntsys...@lists.myitforum.com Subject: RE: [NTSysADM] RE: Password expiring debate on patch management “Camaro1967” or “I drank 12 beers last night!”. The second one, by far. I drank 12 beers last night! - or - I dr@nk 12 b33rs last night! The second one, but the first is so secure it is academic. From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Dave Lum Sent: Friday, April 29, 2016 11:33 AM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: RE: [NTSysADM] RE: Password expiring debate on patch management Fair enough, the near-perfect password would have those attributes. Honest question…what’s a stronger password of these two: “Camaro1967” or “I drank 12 beers last night!”. Also, does swapping a commonly-substituted character make much difference (@ for “a”, 3 for “e”, etc.) these days? I read some of the later tools make the substitutions in their attempts so the two examples below offer very little change in complexity to them: I drank 12 beers last night! - or - I dr@nk 12 b33rs last night! Thoughts? From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Andrew S. Baker Sent: Thursday, April 28, 2016 8:11 PM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: Re: [NTSysADM] RE: Password expiring debate on patch management IMO… - must not contain a dictionary word ---- Silly, and counterproductive for long passphrases - must not contain repetitive or sequential characters --- Okay, not “aaaa” or “abcde” but not “call” or “innocence”? Silly. - must not be derived from publicly searchable internet or social media information (favorite sports team, names of friends or family, schools, restaurants, etc.) -- Who plans to regulate that? That's at the other extreme of shortsighted. Regards, ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Expert Technology Consulting Services for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A Sent with Mixmax<https://mixmax.com/s/WMB47Rd39yDNPFfWo?utm_source=mixmax&utm_medium=email&utm_campaign=signature_link&utm_content=sent_with_mixmax> [Image removed by sender.] On Wed, Apr 27, 2016 8:08 PM, Sean Martin seanmarti...@gmail.com<mailto:seanmarti...@gmail.com> wrote: Great timing for this thread. A recently updated password policy has sparked some debate at %dayjob%. It contains some of the expected requirements: - unique per account - varying length requirements based on account type (domain user, administrative user, etc.) - don't include userID or personal information (birthday, phone number, SS#, etc.) - standard complexity requirements (uppercase/lowercase/numerical/special) ...then some additional requirements, which are raising some eyebrows: - must not contain a dictionary word - must not contain repetitive or sequential characters - must not be derived from publicly searchable internet or social media information (favorite sports team, names of friends or family, schools, restaurants, etc.) While I understand the intent, my opinion is that no typical end-user is going to truly understand what these requirements mean, or will simply find them too difficult to comply with. Our current expiration policy is 90 days. I believe the end users would rather deal with more frequent password changes than have to adhere to the above stated policy. Interested in other opinions.... - Sean On Wed, Apr 27, 2016 at 3:33 PM, Micheal Espinola Jr <michealespin...@gmail.com<mailto:michealespin...@gmail.com>> wrote: Thanks. 100% true story + federal investigation. State lines were crossed, and millions of dollars were at stake. -- Espi On Wed, Apr 27, 2016 at 2:39 PM, Dave Lum <l...@ochin.org<mailto:l...@ochin.org>> wrote: That’s a perfect example Michael. Or, let’s say I am in IT at Target, maybe later I move into IT at an HVAC company that has VPN access to Target (IT guys working at companies that do business with their former employers? Never happens right?). Maybe my PC at the HVAC place get compromised and since Target never disabled my account and I use the same password at %newjob% as I did %oldjob%, a simple hop over VPN now leverages the access I had at Target… Except what actually happened with Target was more *harder* than what I described above. IMO any place that doesn’t require a password expiration of any kind is likely (exceptions to this, sure) the same place that doesn’t have a process for disabling all the access former employees have. Dave From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] On Behalf Of Micheal Espinola Jr Sent: Tuesday, April 26, 2016 6:31 PM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: Re: [NTSysADM] RE: Password expiring debate on patch management 1. Old admin knows many management passwords 2. Old admin goes to work for competitor 3. Company and competitor are up for same contracts 4. Old admin remotes into company to look at emails and presentation materials 5. Competitor starts taking business from company by usurping sales pitches in very specific ways 6. I get hired 2+ years after old admin in question 7. I review remote logs to establish behavioral patterns 8. I see odd logon behavior and trace repetitive IPs 9. I trace IPs to competitor as well as old admin specifically I am Jacks complete lack of surprise when management doesnt change their password and uses the same passwords for many things. -- Espi On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim <kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote: "Even six months is far better than never" Why? ________________________________ From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] on behalf of Dave Lum [l...@ochin.org<mailto:l...@ochin.org>] Sent: Monday, April 25, 2016 6:58 PM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: [NTSysADM] Password expiring debate on patch management Anyone see the debate on the Patch management list, driven by this: https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry I don’t even know how it’s a debate other than the desired frequency (no one-size-fits-all on that IMO). Even six months is far better than never. With expiring passwords you at bare minimum mitigate employee’s that leave. David Lum Systems Administrator III P: 503.943.2500<tel:503.943.2500> E: l...@ochin.org<mailto:l...@ochin.org> A: 1881 SW Naito Parkway, Portland, OR 97201 [Facebook Link]<https://www.facebook.com/OCHINinc>[Twitter Link]<https://twitter.com/ochininc>[Linkedin Link]<http://www.linkedin.com/company/ochin> www.ochin.org<https://www.ochin.org/> [OCHIN email] Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and destroy all copies. Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and destroy all copies. Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and destroy all copies. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
