PDA

View Full Version : Password debate



DanW-MHTN
08-Apr-2015, 21:46
I wish to stir up a password policy debate and it was suggested that
this was the place to do so. I have looked around for best practices for
password policies. I see more and more articles saying that you should
increase the complexity of the passwords and make it so that users donít
change their passwords as often. I understand and see the logic
purported by some that a strong password should not need to be changed
as often. Some of the logic goes that people who one, hate passwords and
two, have to change them often will come up with a scheme that fits the
policy but is easily predictable. For instance we have found out that a
large percentage use month and year as their password.

What I donít see in the debate is the user expectation that they can
connect with any device from any location and access corporate data and
how that should effect password complexity and the change of password
frequency.

Let me give you a for instance. For us, users without remote access have
the same complexity requirements but only change their password every
120 days. Users with remote access change passwords every 40 days.

The logic in this is that if they attempt access from a compromised
platform, say a computer in a hotelís business center that has had a key
logger placed on it (or even a home computer where the kids have done
who knows what and been who knows where on the Internet), the password
that they use is then compromised but there is a limited time the
password is good for. Our VPN remote access does check for anti-virus
being up to date, a scan run in the last 30 days and so forth, but it
checks those things only after the credentials are presented, thus the
password is compromised. Remote access for things like Novell Filr,
GroupWise web access do not have the ďsecurityĒ checks the VPN does and
make reinforce the logic listed above.
The battle I am fighting is one where the powers that be feel that 40
days is too short and we should go to 180 days or possibly never
expiring a password.

What is the prevailing thoughts in your organization regarding passwords
in general and has any thought been put into how remote access effects
this policy?


--
DanW-MHTN
------------------------------------------------------------------------
DanW-MHTN's Profile: https://forums.novell.com/member.php?userid=5189
View this thread: https://forums.novell.com/showthread.php?t=482889

Stevo
08-Apr-2015, 23:24
DanW-MHTN sounds like they 'said':

> What is the prevailing thoughts in your organization regarding
> passwords in general and has any thought been put into how remote
> access effects this policy?

So my response to DanW's comment is...

We have it set up where users need to change their password every 90
days, with these 'complexity' conditions set:

1. Need 3 of the 4 conditions in their password:
a. lowercase letters
b. uppercase letters
c. numbers (not to exceed more than 4 in their password)
-This to keep them from using their phone number, mo-day-yr, etc
d. special characters

2. Cannot have neither first nor last name in their password (something
like 4 consecutive characters of it anyway)

3. Have at least 3 passwords before they can repeat any passwords.
(This is not real secure I know, but many of our users are [L]users)


We are looking at different types of remote access, and we have been
kicking around the idea of remote/mobile users needing two form
authentication, whereas the non mobile users only need one.

How's *that* for a bold, pot-stirring statement for a debate? ;-)

--
Stevo

Jim Henderson
09-Apr-2015, 01:05
On Wed, 08 Apr 2015 22:24:13 +0000, Stevo wrote:

> We are looking at different types of remote access, and we have been
> kicking around the idea of remote/mobile users needing two form
> authentication, whereas the non mobile users only need one.

This is where I see things going, passwordless login is I think where the
industry is heading.

Jim
--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner

Anders Gustafsson
09-Apr-2015, 06:39
DanW-MHTN,
> The battle I am fighting is one where the powers that be feel that 40
> days is too short and we should go to 180 days or possibly never
> expiring a password.

Does not sound like a good idea, unless augmented by an extra
measure,such as RSA key or Mobile.

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

laurabuckley
09-Apr-2015, 11:26
Hi,

Just to throw a spanner in the works.... regardless of your password
policy you also need to "strongly" protect users against social
engineering and phishing or spear phishing attacks. It is my opinion
that these have been the greatest cause of compromised passwords.

Cheers,


--
Laura Buckley
Technical Consultant
IT Dynamics, South Africa

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below...
------------------------------------------------------------------------
laurabuckley's Profile: https://forums.novell.com/member.php?userid=122
View this thread: https://forums.novell.com/showthread.php?t=482889

laurabuckley
09-Apr-2015, 12:06
Hi,

Further to my spanner in the works above, here is a good read including
reference to the West Point (military academy) Carronade that was
conducted:

http://www.educause.edu/ero/article/fostering-e-mail-security-awareness-west-point-carronade

Cheers,


--
Laura Buckley
Technical Consultant
IT Dynamics, South Africa

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below...
------------------------------------------------------------------------
laurabuckley's Profile: https://forums.novell.com/member.php?userid=122
View this thread: https://forums.novell.com/showthread.php?t=482889

DanW-MHTN
09-Apr-2015, 21:56
Thanks so much for the comments. I especially enjoyed the "[L]users"
(LOL). I think the makeup of the password and second factor are
relevant and helpful.

Now how about "password age" of how long a password is good for?


--
DanW-MHTN
------------------------------------------------------------------------
DanW-MHTN's Profile: https://forums.novell.com/member.php?userid=5189
View this thread: https://forums.novell.com/showthread.php?t=482889

Stevo
09-Apr-2015, 22:22
DanW-MHTN sounds like they 'said':

> Now how about "password age" of how long a password is good for?

So my response to DanW's comment is...

Ours need to be changed every 90 days, which for some people is still
WAY too often.

--
Stevo