My view is what it protects you against is the dual use of a password and the other org giving up the hash. So Bob uses the same password at my org as he used at Ashley Madison. They cough of the hash, the bad guys start to reverse it. It becomes a race, will they reverse it before Bob's PW expires in my org. More than 12 characters I would probably win, less than that probably not.
And of course the bad guys have to make the connection that Bob at Ashley is Bob at my org. And that is where I start to feel it just isn't worth it. I guess what gets lost in this debate is what you bring up. How solid are your other controls, as you mention admin rights, applocker, patching, very solid web filtering, EMET and active intrusion detection. I strongly believe that we are in a really good place on the important items. We actually have agents on every box in the org phoning to a 24/7 monitored NOC watching for things in amazing detail. It's all relative to your overall posture I guess. I answered you on your 2FA comment in more detail. Short version passwords are broke, they are not very mitigatable. ________________________________ From: listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com] on behalf of Kurt Buff [kurt.b...@gmail.com] Sent: Monday, April 25, 2016 8:54 PM To: ntsysadm Subject: Re: [NTSysADM] RE: Password expiring debate on patch management At the very least exfiltration - with long enough passwords, it helps mitigate that. Of course, you should have other measures in place, such as no administrative access for users, whitelisting of software, etc. As I stated on the other list, not requiring passwords to expire isn't an argument against passwords (complex/long or not), it's an argument for 2fa, which might, or might not, be feasible for a given situation. Kurt On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim <kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote: "Even six months is far better than never" Why? ________________________________ From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] on behalf of Dave Lum [l...@ochin.org<mailto:l...@ochin.org>] Sent: Monday, April 25, 2016 6:58 PM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: [NTSysADM] Password expiring debate on patch management Anyone see the debate on the Patch management list, driven by this: https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry I don’t even know how it’s a debate other than the desired frequency (no one-size-fits-all on that IMO). Even six months is far better than never. With expiring passwords you at bare minimum mitigate employee’s that leave. David Lum Systems Administrator III P: 503.943.2500<tel:503.943.2500> E: l...@ochin.org<mailto:l...@ochin.org> A: 1881 SW Naito Parkway, Portland, OR 97201 [Facebook Link]<https://www.facebook.com/OCHINinc>[Twitter Link]<https://twitter.com/ochininc>[Linkedin Link]<http://www.linkedin.com/company/ochin> www.ochin.org<https://www.ochin.org/> [OCHIN email] Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and destroy all copies.
