Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Password policies. Once again.

Password policies. Once again.

  • Comments 21
  • Likes

Recently in the newsgroups (news:microsoft.public.security, to be specific) the question of password polices and the out-of-box defaults came up. The poster lamented a number of things: that Microsoft doesn't enable account lockout by default, that we don't have a built-in mechanism for automatically disabling unused accounts, that the 42-day default expiration is troublesome. Here's my response; figured that it would make for a useful blog post, too.

Account lockouts

Account lockout is a poor substitute for good passwords -- and is one of the most expensive security features you can use. Let's think about this by considering the threat. What threat does account lockout (attempt to) mitigate? Password guessing. How can you make password guessing attacks become useless for an attacker? Two ways: implement lockouts or use good (meaning long) passwords.

Consider the first choice, account lockouts. The typical cost to an organization to reset locked accounts is US$75 per help desk call. In a medium or large organization, this can become a very high monthly maintenance cost. In nearly all instances, the call results from users locking themselves out (too many vodka tonics on the plane, maybe?), not users encountering locked out accounts because some bad guy was trying to guess passwords. Account lockouts have one more -- very bad -- problem: they create opportunities for bad guys to conduct denial-of-service attacks against accounts or entire domains! Even if you use a timed unlock of, say, 15 minutes, then the attacker can write his script to churn through thousands of bogus logon attempts every 15 minutes 2 seconds. So, contrary to the claim, enabling this setting actually can have significant impact on usability.

Account lockout is there for people who absolutely need it. But I can't think of any instance where this is true. Instead, have a policy that requires simple passwords at least 15 characters long. Forget about complexity rules that force people to write down passwords. A simple 15-character passphrase (think short sentence) is easy to remember, quick to type, and far stronger than any short complex password. A passphrase like this will withstand any kind of automated password attack, including those based on rainbow tables. And you can even use a method that helps you remember unique phrases for each site, if you wish:

  • web mail: "my dog and i got the mail"
  • shopping: "my dog and i bought some stuff"
  • office: "my dog and i went to work"

This is why we disable account lockout by default. There are much better --  and much less expensive -- ways to mitigate the threat.

Disabling unused accounts

You're right, there's no built-in method to automatically disable unused accounts. A variety of third-party products can provide you with this functionality. I suspect some of them might be free, perhaps simple scripts even. I tried searching on "automatically disable unused accounts" and saw a few hits that looked promising. This particular function, however, rightly belongs in the HR process. A number of customers I've spoken with have automated the account creation/disablement/deletion process, incorporating it into HR systems. When a new user is hired, the account is created; when the user departs, the account is disabled; some time later, it's deleted. The HR systems take care of this, not domain or enterprise administrators. I wrote more about this subject in "When you say goodbye to an employee."

Password expiration

Password expiration is an important setting for everyone. It mitigates two threats: employees sharing passwords and bad guys discovering passwords. Because we can eliminate the second threat using long simple passphrases as I described above, then we have only one remaining threat: password sharing. Your estimation of how prevalent this threat is in your environment will guide you toward choosing an expiration time that works for you. 42 days is a reasonable default; our own corpnet uses 70 days. My experience with most customers shows that password sharing isn't a problem. So for those who do enforce long simple passphrases, I suggest that a reasonable default for expiration is 120 days.

Windows begins notifying you 14 days before your password expires. You can change this time period through group policy. I was in a similar situation recently. Last month my domain password expired while I was in Australia for TechEd there. I could continue to log on to my laptop with cached credentials, but couldn't use Outlook Web Access or RPC+HTTP of course. So I connected to a Terminal Server computer we have on the Internet, logged on there, and changed my password.

Comments
  • On the subject of disabling inactive accounts, couldn't you use somethign like  "dsquery user -inactive 4 | dsmod user -disabled".

    (that syntax is from memory, don't go blindly running in in production)

  • I like the unique pass phrases idea.

    How would you address though the  practice of users trying to come up with a new pass phrase at each password expiration date? Of course some users just increment their existing passwords in order to remember them easier. On this date users always forget their new password and many help desk calls are created.

  • If only MS policy would allow you to require a password of 15 characters.  Today, the maximum length (that I can find) is 14 characters.

  • The prefix-idea (my dog and I) is great, Steve!

    You could even write down the endings of the passwords, such as "went to work" on a post-it, no one could use it anyway.

    To address antknee's issue, the post-it could say "went to work4"  :-)

  • Steve,

    great post I couldnt agree with you more. I see the true problem here being convincing the stakeholders of this. We have spent so much time and effort drilling some practices into the heads of the exec's that when the practices change it is hard to get the stake holders to change.

  • Hello,

    Did you mention 15 caracter so as to not store the lan man hash ? I think this is the first thing to get rid of...

  • dkkazak: just edit password security policy (not with the the GUI) by notepad, import to GPO and there you have it...  min req passwords <14 characters...

  • I completely agree Steve. It is the same sort of smoke & mirrors "logic" applied to our national security by the DHS. For some reason, if you put extra steps and red tape in place that frustrate people, they accept that as 'security' and assume they must be protected.

    I have recommended the use of passphrases, or taking a passphrase and using just the first letter of each word, for some time. I like your solution for the multiple passwords. Inevitably, you will have a program or web site or service with different password restrictions that will force you to come up with something else, but altering your core passphrase slightly would certainly make it easier to remember while significantly harder to guess / crack than a standard 8-character password.

  • My suggestion in order to enhance the password security level that 4 kinds of consequence, number and symbol is also necessary.

  • Benny, where passwords are concerned, size matters more than how hard it is, so a long simple password is actually less likely to be guessed / cracked than a short complex one. Requiring complex passwords also leads to users forgetting their passwords - and then, they might as well be locked out because they're going to call in for the service desk, and they're going to write their complex password down on a Post-It note taped to the screen.

    As for changing expired passwords, you can actually do that through OWA, if your admins have enabled the feature.

  • Steve,

    Check out Joe Richard's MVP OldCmp.  This is a great (FREE) tool for managaing users and computers.  We batch it weekly and moves unused machine accounts over 180 days, to a special OU for inspection.  Our pc support then reviews and disables/deletes those accounts no longer needed.  It can disable and or delete but we like to be in control.

  • Hello,

    i translated this post to french for those that may interest:

    J'ai traduis ce post en francais pour ceux que cela pourrait intéresser:

    http://lordoftheping.blogspot.com/2007/09/politique-de-mots-de-passe-encore-une.html

  • Simple passphrases (like "my dog and I got owned") are not as secure as you seem to think they are.  They seem secure because most current password crackers are based on old password choices.

    It is not hard to imagine (or write) a cracker based on words.  What is the average user's working vocabulary?  A few hundred words?  A thousand, perhaps.  Add in some grammar rules and the search space for likely phrases of length 3 to, say, 6 words is not really that large.

    If you want to be secure, you are back to some of the old techniques that users dislike (digits, special chars, odd capitalization, misspelled (not 1337!) words, or really unusual words (and not your kids or pets names!), etc).

  • There's a lot of research going on about passwords vs. pass phrases. Please see Jesper Johansson's three-part series:

    http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx

    http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx

    http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx

    Scientifically, we don't know enough to state for certain whether pass phrases are indeed stronger than passwords. However, quoting from the conclusion:

    "While no one can conclusively answer the question of whether pass phrases are stronger than passwords, math and the logic appear to show that a 5- or 6-word pass phrase is roughly as strong as a completely random 9-character password. Since most people are better able to remember a 6-word pass phrase than a totally random 9-character password, pass phrases seem to be better than passwords. In addition, by adding some substitutions and misspellings to a pass phrase, users can significantly strengthen it, which is not possible with a totally random 9-character password."

  • I am a volunteer fire fighter located in Connecticut. In order for those of us authorized to you the Fire House computers we must log on with one upper case letter and one lower case letter plus a mix of letters and numbers. It burns me up to have to have a complex password just to  get internet access. If in my judgment, a complex password is unwarranted than I should be able to use what ever password I so desire. If some one or something should crack my password and gain access to the internet then so be it. If you want a simple password based on the level of risk you determine then you should have the right to do so. If your password gets hack then you have no one to blame but your self. The point is you should be the to decide not some computer programer.    

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment