Password policies. Once again.

re: Password policies. Once again.

SJB — Wed, 05 Sep 2007 02:28:35 GMT

On the subject of disabling inactive accounts, couldn't you use somethign like "dsquery user -inactive 4 | dsmod user -disabled".

(that syntax is from memory, don't go blindly running in in production)

re: Password policies. Once again.

antknee — Wed, 05 Sep 2007 03:52:17 GMT

I like the unique pass phrases idea.

How would you address though the practice of users trying to come up with a new pass phrase at each password expiration date? Of course some users just increment their existing passwords in order to remember them easier. On this date users always forget their new password and many help desk calls are created.

re: Password policies. Once again.

dkkazak — Wed, 05 Sep 2007 05:27:04 GMT

If only MS policy would allow you to require a password of 15 characters. Today, the maximum length (that I can find) is 14 characters.

re: Password policies. Once again.

Tom Olsson — Wed, 05 Sep 2007 11:45:17 GMT

The prefix-idea (my dog and I) is great, Steve!

You could even write down the endings of the passwords, such as "went to work" on a post-it, no one could use it anyway.

To address antknee's issue, the post-it could say "went to work4" :-)

re: Password policies. Once again.

Chris — Wed, 05 Sep 2007 20:22:56 GMT

Steve,

great post I couldnt agree with you more. I see the true problem here being convincing the stakeholders of this. We have spent so much time and effort drilling some practices into the heads of the exec's that when the practices change it is hard to get the stake holders to change.

re: Password policies. Once again.

Mathieu CHATEAU — Thu, 06 Sep 2007 11:44:00 GMT

Hello,

Did you mention 15 caracter so as to not store the lan man hash ? I think this is the first thing to get rid of...

re: Password policies. Once again.

Petri — Wed, 12 Sep 2007 22:25:41 GMT

dkkazak: just edit password security policy (not with the the GUI) by notepad, import to GPO and there you have it... min req passwords <14 characters...

re: Password policies. Once again.

Tony Bradley, Microsoft MVP — Fri, 14 Sep 2007 19:19:04 GMT

I completely agree Steve. It is the same sort of smoke & mirrors "logic" applied to our national security by the DHS. For some reason, if you put extra steps and red tape in place that frustrate people, they accept that as 'security' and assume they must be protected.

I have recommended the use of passphrases, or taking a passphrase and using just the first letter of each word, for some time. I like your solution for the multiple passwords. Inevitably, you will have a program or web site or service with different password restrictions that will force you to come up with something else, but altering your core passphrase slightly would certainly make it easier to remember while significantly harder to guess / crack than a standard 8-character password.

re: Password policies. Once again.

Benny — Mon, 17 Sep 2007 13:50:26 GMT

My suggestion in order to enhance the password security level that 4 kinds of consequence, number and symbol is also necessary.

re: Password policies. Once again.

Alun Jones — Tue, 18 Sep 2007 05:51:18 GMT

Benny, where passwords are concerned, size matters more than how hard it is, so a long simple password is actually less likely to be guessed / cracked than a short complex one. Requiring complex passwords also leads to users forgetting their passwords - and then, they might as well be locked out because they're going to call in for the service desk, and they're going to write their complex password down on a Post-It note taped to the screen.

As for changing expired passwords, you can actually do that through OWA, if your admins have enabled the feature.

re: Password policies. Once again.

Paul Bergson — Thu, 27 Sep 2007 16:21:19 GMT

Steve,

Check out Joe Richard's MVP OldCmp. This is a great (FREE) tool for managaing users and computers. We batch it weekly and moves unused machine accounts over 180 days, to a special OU for inspection. Our pc support then reviews and disables/deletes those accounts no longer needed. It can disable and or delete but we like to be in control.

re: Password policies. Once again.

Mathieu CHATEAU — Fri, 28 Sep 2007 00:13:40 GMT

Hello,

i translated this post to french for those that may interest:

J'ai traduis ce post en francais pour ceux que cela pourrait intéresser:

http://lordoftheping.blogspot.com/2007/09/politique-de-mots-de-passe-encore-une.html

re: Password policies. Once again.

John Hascall — Fri, 28 Sep 2007 19:33:37 GMT

Simple passphrases (like "my dog and I got owned") are not as secure as you seem to think they are. They seem secure because most current password crackers are based on old password choices.

It is not hard to imagine (or write) a cracker based on words. What is the average user's working vocabulary? A few hundred words? A thousand, perhaps. Add in some grammar rules and the search space for likely phrases of length 3 to, say, 6 words is not really that large.

If you want to be secure, you are back to some of the old techniques that users dislike (digits, special chars, odd capitalization, misspelled (not 1337!) words, or really unusual words (and not your kids or pets names!), etc).

re: Password policies. Once again.

Steve Riley — Fri, 28 Sep 2007 21:03:49 GMT

There's a lot of research going on about passwords vs. pass phrases. Please see Jesper Johansson's three-part series:

http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx

http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx

http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx

Scientifically, we don't know enough to state for certain whether pass phrases are indeed stronger than passwords. However, quoting from the conclusion:

"While no one can conclusively answer the question of whether pass phrases are stronger than passwords, math and the logic appear to show that a 5- or 6-word pass phrase is roughly as strong as a completely random 9-character password. Since most people are better able to remember a 6-word pass phrase than a totally random 9-character password, pass phrases seem to be better than passwords. In addition, by adding some substitutions and misspellings to a pass phrase, users can significantly strengthen it, which is not possible with a totally random 9-character password."

re: Password policies. Once again.

Stu — Wed, 03 Oct 2007 08:00:21 GMT

I am a volunteer fire fighter located in Connecticut. In order for those of us authorized to you the Fire House computers we must log on with one upper case letter and one lower case letter plus a mix of letters and numbers. It burns me up to have to have a complex password just to get internet access. If in my judgment, a complex password is unwarranted than I should be able to use what ever password I so desire. If some one or something should crack my password and gain access to the internet then so be it. If you want a simple password based on the level of risk you determine then you should have the right to do so. If your password gets hack then you have no one to blame but your self. The point is you should be the to decide not some computer programer.

re: Password policies. Once again.

Richard — Wed, 03 Oct 2007 15:41:35 GMT

Do you have an article that addresses a password reset or unlock tool and recommendations on that?

re: Password policies. Once again.

Steve Riley — Wed, 03 Oct 2007 20:15:48 GMT

Stu-- I'm not exactly sure what your point is. Typically, password policies are set by the security administrators at an organization, not by "programmers," based on the organization's risk tolerance level and the values of the information assets they're protecting. We do know one thing: if individuals were free to choose their own passwords, in almost every case those passwords would be extremely weak and immediately cracked by attackers. For example: in organizations that don't implement password policies, the #1 password choice for a salesperson's laptop is "golf." You might as well not even have a password! And while your assertion that "if your password gets hack[ed] then you have no one to blame but yourself" might be true, in reality, with the regulations that exist today, the organization could be at serious legal risk.

re: Password policies. Once again.

Steve Riley — Wed, 03 Oct 2007 20:17:16 GMT

Richard-- this might be helpful for you.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

re: Password policies. Once again.

Jan — Thu, 04 Oct 2007 12:17:57 GMT

Other people, other opinions. There is an article about password expiration which I have found some days ago and I would be very interested about your opinion: Prof. Eugene Spafford (CERIAS, security expert, NSA advisor, ...) sais that the whole topic of password expirations is based on the best practices 30 years ago where short passwords with no complexity where common but is totally useless today.

http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/trackback/

What do you think about it? To be honest, I like the idea of getting rid of password expiration policies but I do have some scruple to make it real...

Jan

re: Password policies. Once again.

Dan Halford — Tue, 13 Nov 2007 05:43:40 GMT

Give that CIOs and the like are notoriously hard to convince when it comes to security matters, turning off Account Lockout can be problematic in some organisations. The helpdesk want it off, the system admins want it off, but some jumped-up manager with less practical experience than the greenest of phone jockeys reckons he knows better.

Which brings me on to the one AD account property I always wished Microsoft had included: the ability to tag a particular account (service accounts, for instance) with a Do Not Lockout flag. That way, one can still pretend to CIOs that security best practice is being followed, but make the more critical accounts immune to this kind of DoS attack vector.

re: Password policies. Once again.

Steve Riley — Tue, 13 Nov 2007 16:29:14 GMT

Dan-- That's why I wrote about it, and continue to mention it at conferences whenever the topic of passwords comes up. If we can get these "jumped-up managers" to better understand real security risks, and the potential side-effect risks of certain security settings, then we'll all be in a better position. Education is always a good thing.