In TPOSANA (google it, if you don't know it) there's an example I like. At least one company has a practice of a yearly password change day. It's announced to the entire company well ahead of time, multiple times. On the day, everyone's password is expired, and all must change theirs.
If I could get our company to do that, coupled with education about using a passphrase of 16 characters or longer, and a policy enforcing it, I'd be a very happy man. Kurt On Tue, Nov 3, 2009 at 14:33, Andrew S. Baker <[email protected]> wrote: > Understood, but the point being made by the SANS.org incident handler is > that unless you are changing the password often, you're not really helping > yourself be more secure. The window of time where the password is static is > more than long enough to be brute-forced. > > The likelihood is that the attacker will get in because the password is dumb > (something you can somewhat control) or that they will enter via some > variant of social engineering and get themselves elevated rights. > > Think about it: Of all the exploits that are in the wild today, how many of > them rely on obtaining the user's password to be successful? How many of > the millions of systems currently employed as members of botnets ended up > there because their password was compromised? > > Are we adding any value beyond possible helpdesk statistics (from all the > password resets immediately after a change cycle) by frequent password > changes? > > ASB (My XeeSM Profile) > Providing Competitive Advantage through Effective IT Leadership > > On Tue, Nov 3, 2009 at 5:16 PM, Jonathan Link <[email protected]> > wrote: >> >> My context is recycling passwords across different environments and I >> neglected to mention that I do enforce a password history. >> >> Password age in that context will at least force a user to create a >> different password, hopefully different from the one that is being used on >> other sites the user frequents. It's an imperfect tool, but it's the only >> tool I have. Education, in my experience hasn't been sufficient to >> encourage users to not use the same password for multiple sites. >> >> On Tue, Nov 3, 2009 at 3:45 PM, Andrew S. Baker <[email protected]> wrote: >>> >>> But how does password age help with your environment's security? >>> >>> (BTW, you can control recycling in a Windows environment through password >>> history) >>> >>> ASB (My XeeSM Profile) >>> Providing Competitive Advantage through Effective IT Leadership >>> >>> On Tue, Nov 3, 2009 at 3:13 PM, Jonathan Link <[email protected]> >>> wrote: >>>> >>>> If all environments were equally secure, had the same level of IT >>>> controls, and I could ensure that my users don't recylce passwords from one >>>> environment to the next, then yes, I'm all for this. But, I can't control >>>> users or other environments, and the only tools I have (imperfect though >>>> they may be) are password complexity and password age. Password complexity >>>> is a necessity everywhere, if a user chooses to use it or not in >>>> environments which don't require it then, so be it, but in our environment >>>> I >>>> can ensure that. I can't control the recylcing, so the only tool I have >>>> against that is the password age, which has another set of problems... >>>> >>>> -Jonathan >>>> >>>> On Mon, Nov 2, 2009 at 2:10 PM, Ben Scott <[email protected]> wrote: >>>>> >>>>> On Mon, Nov 2, 2009 at 9:38 AM, David Lum <[email protected]> wrote: >>>>> > Thoughts, comments? Oh and do read the comments. >>>>> >>>>> I've sometimes wondered if we wouldn't be better off enforcing (1) a >>>>> very long minimum password length and (2) complexity checking that >>>>> only filters stupid sequences. Thus, encouraging users to use >>>>> non-trivial passphrases rather than passwords. >>>>> >>>>> Shook and Caesare sitting in a tree >>>>> >>>>> is going to be both hard to guess and easy to remember, while >>>>> >>>>> S5p$3xQ! >>>>> >>>>> is only hard to guess, and thus much more likely to be on a Post-It >>>>> note. >>>>> >>>>> -- Ben >>>>> >>> >>> >>> >>> >> >> >> >> > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
