Changing of the Guard

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715889

    Comments posted to this topic are about the item Changing of the Guard

  • Todd Heidesch

    SSC Journeyman

    Points: 90

    At most of our sites the AD administrator password lasts exactly as long as our personnel ... averaging maybe 8 months. The same can be said when a laptop goes "missing". :blink:

  • Robert Eder

    Hall of Fame

    Points: 3223

    Microsoft has an outstanding recommendation for the maximum password age, a multiple of seven. The reasoning behind this is simple: your password will never expire on a weekend. Rather than choosing 60 days, choose 56 or 63.

    One commonly missed justification for maximum password age is to limit the usefulness of a compromised username and password. Determining if a username and password has been compromised is usually difficult. After all, if a person has a username and password that he/she should not have, they are not going to intentionally do anything that would indicate that the password has been compromised.

  • Bryant McClellan

    SSCarpal Tunnel

    Points: 4215

    I can't say regarding administrator passwords, but all the rest of the user accounts must change every 45 days. And I believe the history is 12 which bars a lot of reuse.

    As far as just adding digits, sorry but that is lazy. I have not reused a password in over 15 years. I used to use an atlas to pick city names but our internal password policy changed. Today I use a password generator. As long as the password I choose fits the rules, great. It may take me a couple of login attempts to remember, but I am doing my part. In our company, policy states that YOU are responsible for anything on your desktop/laptop even though the company owns it all.

    ------------
    Buy the ticket, take the ride. -- Hunter S. Thompson

  • Mike Hinds

    SSCarpal Tunnel

    Points: 4248

    Our regular user passwords change every 90 days. Admins including DBAs may use these for Word, Excel, email, etc., from our desktops. Our corresponding Admin accounts, which we must use to remote to servers (or in my case RUN AS for Management Studio, Query Analyzer, etc.) change every 30 days.

    I like the 7-day multiple idea and will suggest it here. Maybe we'll wind up with 35 and 91.

    For my password I use a Bible verse. Part of it becomes my desktop password, and three other parts become my successive admin passwords. I "tamper" with letters that can disguise as numbers or punctuation, in a pattern that I can predict but that does not show, and then I hide the original verse in plain sight as a reminder. (Yes, on a sticky!) I'm confident that even if someone guessed the purpose, they couldn't brute-force the actual password out of it, but at my age (nearing 60) I need the reminder, especially with one of them changing every month.

    Plus, I learn a new verse four time a year. It will take awhile before I run out of new ones!

    If one was so inclined, War and Peace or Atlas Shrugged would probably work as well (at least for passwords).

    Mike Hinds Lead Database Administrator1st Source BankMCP, MCTS

  • Peter Pirker

    Ten Centuries

    Points: 1079

    We have to change both our normal user pw, and for those of us that have admin privileges, also our admin password(s), once a month.

    Afaik we don't have users sticking pws all over the place, or anywhere for that matter, and once a month seems ok.

    That's all windows stuff though, the sa passwords, rarely get changed - if ever.

  • IceDread

    SSCertifiable

    Points: 5000

    I find it to be very annoying with all the password changes. This technique with a string as a password feels very outdated, for how long has this old technique been used? I feel that a new technique is needed. Hopefully it wont take too long before one emerges.

    My vision. For instance, one password to rule them all or something like that. You sign in to a little service that stores all your passwords and changes them for you and has contact by some service to the applications you are using. You log into this service with a password and that password you have to handle yourself but this service handles every other service requiring a login and pass, of course these applications and websites you want to your service to handle needs to support it. It all needs to be open source of course so that everyone who wants to host a multi password service can do so and you can chose which supplier to trust. Something like that.

  • jcrawf02

    SSC-Insane

    Points: 24198

    I really gotta find a better way to catalog my interesting articles. Somebody posted something (great phrase that :-D) about using a pattern like word+number+word+number+word, which led to such a high degree of variance that it could not be cracked using any reasonable methods.

    ---------------------------------------------------------
    How best to post your question[/url]
    How to post performance problems[/url]
    Tally Table:What it is and how it replaces a loop[/url]

    "stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."

  • lionfan91

    SSCrazy Eights

    Points: 8794

    Not 100% sure about server passwords, but here on our US Air Force networks we have to change our admin account's passwords every 90 days. But get this -- we're not allowed to choose our own passwords anymore. We have to accept a 15 character randon string. Of course there's no way anyone can remember these, so what do we do -- we write them down! Yet another example of how "progress" in terms of security has put us back at least 10 to 15 years...

    On our classified network, we still also have to use 15 or more characters. At least we still get to choose our own passwords. Typically we'll pick an 8-character password and string it together twice (for a 16-char pw).

    Both networks have a password history set to the max (remembers the last 36 maybe? I can't recall exactly)

  • dan.martin-1089153

    Newbie

    Points: 9

    Hi, Dan Martin, here in Baton Rouge, Louisiana.

    I gather that Steve is like a lot of persons who are responsible for securing valuable items. He is not sure of what the password length should be, nor can he nail down concrete guides to many of the variables involved. Really involved and difficult, like many things. Thanks.

  • Rob Nickolaus-860201

    SSC Veteran

    Points: 201

    Our company forces all passwords to rotate every 30 days with a reminder 2 weeks in advance. Personally, I don't like to have to change roughly 10 passwords every 30 days. That tends to make you lazy in how you create passwords and many people start using the same PW on different accounts. A single logon would make people more likely to create a stronger password.

    For individual users, I personally believe that changing a password doesn't offer much more protective benefit unless an attacker could gather the user names. For these types of accounts, the attacker needs to guess the user name as well as the password. I would love to see the use of special characters in the username which isn't something an attacker would typically put in a brute force attack.

    I do think that well-known user accounts such as sa, administrator, etc. do need to be changed much more frequently. In these situations, 30-90 days would be the longest that I would want to see unless the changing caused severe disruption to other applications/systems (coordinated password changing).

    I've read many articles on our outdated policies of 8-15 character passwords with upper/lower/number/special characters. Everything I've read indicates that a much longer "passphrase" where you simply type a long phrase (bible verse or favorite quote or something that is very easy to memorize) is much more likely to withstand a brute force attack. Of course, a two-factor authentication would be preferred but I rarely see those implemented in IT shops that I've been in.

  • bob.willsie

    Right there with Babe

    Points: 791

    Guess what Milz - That 15 character assigned password is nothing new. I worked on the USAF WWMCCS in the late 70s/early 80's and we were assigned 15 character passwords back then. If we wrote them down we faced a potential 10 years in Leavenworth since a password that allowed access to a top secret system was considered top secret material also.

    We were taught to make up and memorize a sentence that would remind us of the password.

    I don't mind changing passwords every 45-60 days in situations where passwords make sense. IE, access to data that needs to be restricted for one reason or another.

    What I don't like is having to keep track of dozens of passwords for web sites that I might only visit once in a blue moon. For instance, in order to download a user manual for my digital camera I have to create a userID and password for that site. Do that for 20 or thirty products, a dozen or so software packages, and add in a few dozen sites you visit looking for some random information, and you can easily end up with a 100 or so userids and passwords.

    Having had a drive croak that had an encrypted file on it containing my password information, I now do the unthinkable for my non-work passwords: I keep a paper list.

  • GSquared

    SSC Guru

    Points: 260824

    I see mandatory password changes on a fixed interval as a sop to security without any actual value, and with the potential of negative value.

    Changing passwords on a fixed interval was created as a policy when it was calculated that brute-forcing a login would take 60 days with then-current hardware, no matter how complex the password, within then-current complexity rules.

    It functionally became obsolete the moment security also included "three tries and then lockout" type rules.

    If you don't have lockout rules, then yes, changing the password with some frequency has some slight value. Maybe.

    Since its whole purpose is to block brute-forcing attempts, imagine this scenario:

    The brute-force system starts with "" and works its way through the ASCII sequence, incrementing by one each time, ignoring characters like line-feed, just letters, numbers and punctuation, adding a new character at the end of the string each time it completes a cycle. Thus, a 6-digit password would be approximately 600-billion combinations (92 possible characters), and 8 would be just over 5 quadrillion combinations.

    Now, assume a botnet with 10,000 computers in it, most with 2 core Intel CPUs (these days), with an average computing power available to the botnet of (arbitrarily chosen) 1-million computations per second. 5-quadrillion combinations divided by 20-billion/second = 250 seconds. Better have more than 8 characters in your password! 10 makes it 2-million seconds to brute force, which is just about 588 hours, or 24 1/2 days. 12 digit password makes it about 207-thousand days, which is centuries, so they'll need a much bigger botnet for that. (11 digit is 2,254 days approx.)

    So, 10 digits isn't enough to block a reasonably sized botnet attack in under 30 days (the shortest usual password expiration interval). 10,000 computers is a pretty usual size for a botnet these days. Some include hundreds of thousands. None that I've read about have hit the million pc mark, yet.

    Now, imagine this scenario: Fifteen years from now, a 10-million pc botnet with (usual doubling rules) 1024 times as much processing power as modern pcs, attacking your password that you never change. The brute-force attack would succeed in days rather than months, even on a 12-digit password, except for the minor detail that the account locks out after 3 attempts. So, a microscopic fraction of a second passes, and the account gets locked out. Make it a 100-million pc botnet, and it's just a smaller fraction of a second before lockout.

    Even with just a six character password and a six character username, the odds of hitting a valid combination of the two within three tries approaches zero. Doesn't matter how much computing power you throw at it, if it only allows three tries.

    So, frequent password expiration is obsolete and is merely the attempt to feel more secure without the actuality.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • jcrawf02

    SSC-Insane

    Points: 24198

    Gus, I think you just wrote me a whitepaper for our IT security dept...

    ---------------------------------------------------------
    How best to post your question[/url]
    How to post performance problems[/url]
    Tally Table:What it is and how it replaces a loop[/url]

    "stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."

  • GSquared

    SSC Guru

    Points: 260824

    jcrawf02 (8/28/2009)


    Gus, I think you just wrote me a whitepaper for our IT security dept...

    Just keep in mind that it only takes one try for a valid user who knows his own username and password to log in, and then steal paydata.

    It also only takes one successful e-mail, "We are doing account maintenance. Please send us your current login and password so we can re-create your account after replacing our security server."

    Anything like that renders all basic system security worthless.

    It's why I think more companies need to regularly send out phishing e-mails to all of their employees, and see who bites. That kind of thing will have a MUCH bigger positive return for security than silly rules about changing your password every X days.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

Viewing 15 posts - 1 through 15 (of 29 total)

You must be logged in to reply to this topic. Login to reply