Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

Changing of the Guard Expand / Collapse
Author
Message
Posted Thursday, August 27, 2009 9:17 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 2:02 PM
Points: 32,834, Visits: 14,974
Comments posted to this topic are about the item Changing of the Guard






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #778871
Posted Friday, August 28, 2009 2:41 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Thursday, January 10, 2013 5:45 AM
Points: 54, Visits: 108
At most of our sites the AD administrator password lasts exactly as long as our personnel ... averaging maybe 8 months. The same can be said when a laptop goes "missing".
Post #778941
Posted Friday, August 28, 2009 4:56 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Monday, April 14, 2014 5:59 PM
Points: 1,138, Visits: 168
Microsoft has an outstanding recommendation for the maximum password age, a multiple of seven. The reasoning behind this is simple: your password will never expire on a weekend. Rather than choosing 60 days, choose 56 or 63.

One commonly missed justification for maximum password age is to limit the usefulness of a compromised username and password. Determining if a username and password has been compromised is usually difficult. After all, if a person has a username and password that he/she should not have, they are not going to intentionally do anything that would indicate that the password has been compromised.
Post #778976
Posted Friday, August 28, 2009 5:13 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Monday, April 07, 2014 7:25 AM
Points: 846, Visits: 466
I can't say regarding administrator passwords, but all the rest of the user accounts must change every 45 days. And I believe the history is 12 which bars a lot of reuse.

As far as just adding digits, sorry but that is lazy. I have not reused a password in over 15 years. I used to use an atlas to pick city names but our internal password policy changed. Today I use a password generator. As long as the password I choose fits the rules, great. It may take me a couple of login attempts to remember, but I am doing my part. In our company, policy states that YOU are responsible for anything on your desktop/laptop even though the company owns it all.


------------
Buy the ticket, take the ride. -- Hunter S. Thompson
Post #778981
Posted Friday, August 28, 2009 5:51 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Today @ 5:36 AM
Points: 595, Visits: 840
Our regular user passwords change every 90 days. Admins including DBAs may use these for Word, Excel, email, etc., from our desktops. Our corresponding Admin accounts, which we must use to remote to servers (or in my case RUN AS for Management Studio, Query Analyzer, etc.) change every 30 days.

I like the 7-day multiple idea and will suggest it here. Maybe we'll wind up with 35 and 91.

For my password I use a Bible verse. Part of it becomes my desktop password, and three other parts become my successive admin passwords. I "tamper" with letters that can disguise as numbers or punctuation, in a pattern that I can predict but that does not show, and then I hide the original verse in plain sight as a reminder. (Yes, on a sticky!) I'm confident that even if someone guessed the purpose, they couldn't brute-force the actual password out of it, but at my age (nearing 60) I need the reminder, especially with one of them changing every month.

Plus, I learn a new verse four time a year. It will take awhile before I run out of new ones!

If one was so inclined, War and Peace or Atlas Shrugged would probably work as well (at least for passwords).


Regards, Mike
Post #779000
Posted Friday, August 28, 2009 6:27 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, January 02, 2014 7:30 AM
Points: 37, Visits: 220
We have to change both our normal user pw, and for those of us that have admin privileges, also our admin password(s), once a month.

Afaik we don't have users sticking pws all over the place, or anywhere for that matter, and once a month seems ok.

That's all windows stuff though, the sa passwords, rarely get changed - if ever.

Post #779018
Posted Friday, August 28, 2009 6:30 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Tuesday, March 25, 2014 10:18 AM
Points: 294, Visits: 1,008
I find it to be very annoying with all the password changes. This technique with a string as a password feels very outdated, for how long has this old technique been used? I feel that a new technique is needed. Hopefully it wont take too long before one emerges.

My vision. For instance, one password to rule them all or something like that. You sign in to a little service that stores all your passwords and changes them for you and has contact by some service to the applications you are using. You log into this service with a password and that password you have to handle yourself but this service handles every other service requiring a login and pass, of course these applications and websites you want to your service to handle needs to support it. It all needs to be open source of course so that everyone who wants to host a multi password service can do so and you can chose which supplier to trust. Something like that.
Post #779022
Posted Friday, August 28, 2009 6:33 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 3:31 PM
Points: 2,628, Visits: 19,098
I really gotta find a better way to catalog my interesting articles. Somebody posted something (great phrase that ) about using a pattern like word+number+word+number+word, which led to such a high degree of variance that it could not be cracked using any reasonable methods.

---------------------------------------------------------
How best to post your question
How to post performance problems
Tally Table:What it is and how it replaces a loop

"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
Post #779024
Posted Friday, August 28, 2009 7:09 AM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Monday, March 03, 2014 7:07 AM
Points: 3,628, Visits: 330
Not 100% sure about server passwords, but here on our US Air Force networks we have to change our admin account's passwords every 90 days. But get this -- we're not allowed to choose our own passwords anymore. We have to accept a 15 character randon string. Of course there's no way anyone can remember these, so what do we do -- we write them down! Yet another example of how "progress" in terms of security has put us back at least 10 to 15 years...

On our classified network, we still also have to use 15 or more characters. At least we still get to choose our own passwords. Typically we'll pick an 8-character password and string it together twice (for a 16-char pw).

Both networks have a password history set to the max (remembers the last 36 maybe? I can't recall exactly)



Post #779053
Posted Friday, August 28, 2009 7:19 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, September 09, 2009 1:54 PM
Points: 1, Visits: 11
Hi, Dan Martin, here in Baton Rouge, Louisiana.

I gather that Steve is like a lot of persons who are responsible for securing valuable items. He is not sure of what the password length should be, nor can he nail down concrete guides to many of the variables involved. Really involved and difficult, like many things. Thanks.
Post #779062
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse