|
Posted by Shieldfire on March 31, 2006, 1:51 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
In another group I posted a question on security for some of our
external users. They will access a messaging system (not MS Exchange)
and I wanted to set their passwords to expire every N days.
Lots of admins on that group argue that this is an evil thing. If user
Joe already has a secure password it is evil to make him change it and
possibly come up with a weaker password after N days.
The consequences for my users on this system may be extreme if the
passwords are compromised.
How do you argue, to expire or not expire - that's the question.
Martin S
|
|
Posted by Shenan Stanley on March 31, 2006, 2:34 am
If you were Registered and logged in, you could reply and use other advanced thread options
Shieldfire wrote:
> In another group I posted a question on security for some of our
> external users. They will access a messaging system (not MS
> Exchange) and I wanted to set their passwords to expire every N
> days.
> Lots of admins on that group argue that this is an evil thing. If
> user Joe already has a secure password it is evil to make him
> change it and possibly come up with a weaker password after N days.
>
> The consequences for my users on this system may be extreme if the
> passwords are compromised.
>
> How do you argue, to expire or not expire - that's the question.
Expire. The longer a password is the same, the greater chance it can be
compromised.
As far as making a less complicated password - that all depends on your
complexity requirements.
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
|
|
Posted by Roger Abell [MVP] on March 31, 2006, 8:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
complexity of password used by the users, the education
of the users relative to "good" passwords and their habit
of complying with that education.
Just settings the built-in complexity does not guarantee
"good" passwords, ex. Password1
One aspect of the argument is that frequent pwd
change encourages people to write the pwd down
in a handy location. On the other side is the at times
hand wavy "calculation" of how long a pwd takes to
fall (to what, brute force or dictionary) attack. The
assumption is that this time grows as the length grows,
and that forcing more frequent change reduces risk of
a successful password guessing attempt. Frankly,
with use only of the exposed authentication interfaces,
guessing great, or even good, passwords is not high,
at least not before the attempts are noticed.
What I consider the best case for more frequent
change is that, given users lack of using "good" and
long passwords (pass phrases), there is a risk of a
password becoming compromised. Forcing more
frequent change of the password limits the usefulness
of any compromised passwords to a shorter period
(keep in mind that a compromised acct/pwd will be
used to access what it is allowed, which both defines
the scale of loss and also illustrates how it is unlikely
that such use would be noticed as it is not outside of
the expected use pattern).
However, I am wondering why you are concerned.
Since there is only one account policy per domain,
you are either getting ready to change this for all of
the accounts in the domain, or these users are from
a different domain. If from a different domain, then
you have a pretty good means for restricting their
scope of potential compromise since you only have
to be concerned with explicit grant to group of which
they are members, or to Authenticated Users, but
not with all the default grants involving (directly or
indirectly) Domain Users.
> Hi,
>
> In another group I posted a question on security for some of our external
> users. They will access a messaging system (not MS Exchange) and I wanted
> to set their passwords to expire every N days.
>
> Lots of admins on that group argue that this is an evil thing. If user Joe
> already has a secure password it is evil to make him change it and
> possibly come up with a weaker password after N days.
>
> The consequences for my users on this system may be extreme if the
> passwords are compromised.
>
> How do you argue, to expire or not expire - that's the question.
>
> Martin S
|
|
Posted by Patrick Dickey on April 4, 2006, 10:24 am
If you were Registered and logged in, you could reply and use other advanced thread options > Hi,
>
> In another group I posted a question on security for some of our external
> users. They will access a messaging system (not MS Exchange) and I wanted
> to set their passwords to expire every N days.
>
> Lots of admins on that group argue that this is an evil thing. If user Joe
> already has a secure password it is evil to make him change it and
> possibly come up with a weaker password after N days.
>
> The consequences for my users on this system may be extreme if the
> passwords are compromised.
>
> How do you argue, to expire or not expire - that's the question.
>
> Martin S
I can see this from both aspects. As someone who is security concious, I
agree with the expiration and the complexity standards. As an end-user in a
corporation (where I have no IT related duties, other then using the
computer for e-mail and training), I can see where the other end-users
complain about the passwords.
But, I will say this. Those same users who complain about the passwords,
have grown used to the setup. So, every 90 days, they dilligently change
their password, and gripe for a few days. Then they go on with their lives.
As for writing the password down, yes it's vulerable to thieves. However, I
would think that unless they write down their username as well (and to an
extent their corporation login information), it's going to be almost
pointless to anyone outside of the corporation. I could, and probably am,
wrong on this though.
In the end, if you're going to implement this, I would recommend that you
suggest to your end-users this policy (for simplicity in their lives only).
Every --N days, when they change their password at the office, they should
go home and change their user password on their home computer to the same
thing. This way, they're LESS apt to forget the password, and LESS apt to
have it written down somewhere. They'll have to weigh the risks that
someone gets into their home computer and realizes that's the same password
as their work one. But, I would imagine that if someone gains access to
their home and their home computer (outside of family or friends of kids,
etc.), the fact that the person has their work password is going to be low
on their concerns.
Just my three cents worth (would have been two, but I'm long-winded).
Patrick.
--
Smile... Someone out there cares deeply for you.
|
|
Posted by Shieldfire on April 5, 2006, 5:24 am
If you were Registered and logged in, you could reply and use other advanced thread options
What we did was to make secure passwords
http://www.winguides.com/security/password.php
and set them for them. When we see them next time, they be able to chose
their own password following the same standard.
Martin S
|
| Similar Threads | Posted | | Password Expiration for Remote Users | March 16, 2006, 1:07 pm |
| Remote users and Password expiration | October 10, 2006, 11:30 am |
| Service accounts with password expiration | August 15, 2008, 2:36 pm |
| password expiration policy for admin and system accounts ? | October 19, 2005, 6:29 pm |
| No password expiration alert when smart card logon is required | December 27, 2005, 1:14 pm |
| Re: Expiration Of Certificates | July 11, 2005, 8:32 am |
| PKI - Certificate expiration notifications | November 8, 2007, 12:27 am |
| clm users certificates expiration | March 30, 2008, 5:39 am |
| Credential expiration timestamps and groups | January 10, 2007, 10:59 am |
| Preventing Kerberos Ticket Expiration | December 26, 2007, 11:23 am |
|
XML site map