Password Policy - What do you think?
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 35

Thread: Password Policy - What do you think?

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    Password Policy - What do you think?

    Traditionally all of us have been taught that password policies are a must along with the thought that passwords must be changed on a regular basis. This even comes up in the CISSP exam. When you look at how a security team operates, those that are considered excellent and cutting edge all have a password policy that always includes some kind of periodic forced password change.

    I'm going to throw something out there and see what you all think. Let's say that I have had a brick fall on my head and I decide that security is more a human-centric issue than a technical issue. Now, since the bump on my head is really big, I determine that if I make my alpha passwords with special characters too confusing, my end users are going to write them down or store them somewhere without the slightest bit of protection.

    Since we're sure that I'm completely mad at this point, I will also tell you that I have decided that my alpha special character passwords that are at least 7 characters long will resemble normal words instead of crypto-babble. On top of this madness, if I can determine that current cracking technology cannot crack these common phrase passwords in my lifetime or the next and I know that my end users will not write these passwords down because they can easily remember them, I am no longer going to force periodic password changes (outside of terminations and personnel turnover to key assets if they are admins or the like).

    Now that I have exposed the mania that has come over me, am I less, more or equally secure as those who implement traditional password policies as I have outlined here?


    Now, before I lay down my cards, let's see what all of you have to say.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    IMO, a password policy cant enforce something like "must start with a vowel" or "must have 3 special chars on it". This only weaks the password. But minimum length and periodic changes i think that is "a must".
    Following your idea, You dont enforce password change interval because you create a password strong enough to resist current crack methodologies.
    But since noone change anymore i can dump all your strong password, use a brute force to break them while im waiting for a better algorithm
    Since you dont change your password, if i wait 3 years and get a better crack tool i still can break you system with that old password dump, cant i?
    If you dont enforce, most of the users wont change the password.
    If now they are secure, maybe they wont be next semester...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    hmm.. well I can offer no real experience, but I think you should consider that passwords are not only obtained by cracking them. Despite your best efforts, some users will write down passwords regardless. Some will give them away. Others may steal them.

    I think password changes are much more a reactive policy than a proactive one... they're designed to minimize the impact os a potential breach. Still, I would certainly extend the time between password changes in your place, perhaps only keep a list of the last three password instead of the last ten to make it easier for them, stuff like that.

    But all in all, I agree with the idea in theory. Could you provide an example of the policy text?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  4. #4
    Junior Member
    Join Date
    Feb 2003
    Posts
    24
    Must of been a big brick...

    Another reason to change passwords periodically is social engineer attacks, your passwords might be uncrackable for the next 20 years, but all it takes is one user to give out his or her password to someone else and they are in until you find out that they are in and where they came in, assuming you do find out that someone stole a password.

    People are lazy. They dont like to memorize passwords. One of your users may deside that he or she does not want to remember a new password and use that same password in another location such as on a website. Maybe the website stores the password in plain text or some method that is easily breakable. Websites have data stolen all the time or the website owner may not be the most honest person.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    There is no policy in place at this time. It's an experiment that we're conducting to prove a point about human behavior in relation to our security policies. We've selected several departments that agreed to participate in order to see how the end users react to this theoretical enterprise-wide change.

    Thus far, the experimental networks have had no breaches nor have we found passwords recorded in any number of mediums as we typically find in departments who are under the thumbof our traditional password policy. When this is over, I will post some additional information on our findings. The most significant result so far is that the end users are not recording these passwords, rather, they are remembering them. We have found that 85% of our password breaches were directly attributed to someone writing it down in the open or saving it to a txt file left on a floppy sitting at their desk.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    We have password policy as part of our ISMS document (Iformation Security Management System).
    Here is the extract of what we do.

    9.3.1. Passwords
    Passwords provide a means of validating a user's identity and thus to establish access rights to information processing facilities or services. Users should follow good practice in the selection and use of passwords.

    Passwords will be at least eight characters long and contain a mix of lower and upper case characters and numerals.

    Passwords will be changed by the user at least every 42 days or whenever there is an indication that a password may be compromised.

    All users should adhere to the following guidelines with regard to passwords: -

    a) Passwords should be kept confidential
    b) Passwords should not be written down or stored in any way unless the means of storing them is in itself secure.
    c) Passwords should be randomly generated and contain no dictionary word of more than three characters
    d) Successive passwords should not repeat any obvious pattern
    e) Temporary passwords should be changed at first login
    f) Passwords should not be included or stored in any automated sign-on procedure
    g) Individual user passwords should not be shared

    If a password is entered incorrectly 3 times in succession, the user account will be locked temporarily. The lockout will last for a period of 30 minutes. If a password has been forgotten the user should contact the system administrator or Help Desk.

    In the event of a user forgetting a password, a temporary password should be allocated to the user (see e above).

    A user may use the same password for multiple facilities or services provided an adequate level of protection is available for the password in each case.

    System administrator (or equivalent) passwords should be different on each system. A sealed record of all system administrator passwords should be stored securely by Head of IT.

  7. #7
    Member
    Join Date
    Mar 2004
    Posts
    81

    Re: Password Policy - What do you think?


    Since we're sure that I'm completely mad at this point, I will also tell you that I have decided that my alpha special character passwords that are at least 7 characters long will resemble normal words instead of crypto-babble. On top of this madness, if I can determine that current cracking technology cannot crack these common phrase passwords in my lifetime or the next and I know that my end users will not write these passwords down because they can easily remember them, I am no longer going to force periodic password changes (outside of terminations and personnel turnover to key assets if they are admins or the like).

    Im not sure, but I thought there was a password cracker that would use leet speak type of words along with the traditional dictionary type of crack.

    So according to this, an accepted password for this scheme could be D0ct3r007 or iLik3ch33s3 or Ou812sodIdi

    Interesting. Please keep us posted on your experiment.

    ~Halv

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Im not sure, but I thought there was a password cracker that would use leet speak type of words along with the traditional dictionary type of crack.
    True, however, I have yet to see a cracking program that can break special characters (outside of the NSA).

    Remember, special characters are used in the experimental passwords.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    If it is guaranteed that NO ONE will write it down or tell anyone else, and that they will remember them without a problem, and they cannot be cracked then it is all well and good. As long as the transmission of the password across any network is encrypted in such a manor that no one can sniff the password. And to make sure thet the security program doesnt have a flaw somewhere that would allow somone to just enter the hash rather than the password it self.

    edit***

    Oh and every single password you use would need this security, or atleast all of them that have access to the box(es) you are trying to protect. Becasue if one is bad, it leaves an opening to use one of many exploits available (depending on OS) to change the other passwords. remember, passwords are just one part of the equation.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Now that I have exposed the mania that has come over me, am I less, more or equally secure as those who implement traditional password policies as I have outlined here?
    Well, Hoss~ old chap, you are probably less protected, in that a 7 character pass is well within the ambit of john the ripper and suchlike.

    You also need to consider your attack vector? like if you have to go through the razor wire, past the dogs, and the armed guards, and use your biometric pass to enter the building..............maybe you are just trustworthy enough to read the yellow sticky.

    At home, I will make a terible admission, my user IDs and passwords are scotch taped to the boxes.........I have a wife .............and they are very complex passes.

    Mind you, I do have 3 boxes with removable hard drives...........you would need to blow the safe to get to them

    BTW..............have you apologised to the brick and sent it some flowers?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •