3

We currently have the almost defacto standard of requiring complex passwords on our Windows AD domain. But this XKCD cartoon caught my eye a few months ago when it came up on Coding Horror (I think):

http://xkcd.com/936/

Has anyone changed their password policy like this, i.e. require a long phrase as opposed to a shorter one with non-alpha characters? If so, have you had any problems with audits by 3rd parties? We often get audited by our pharma clients and I'm not sure they'd buy into this.

It makes a lot of sense to me though - especially when one discovers passwords written down because they cannot be remembered.

JohnThePro
  • 2,595
  • 14
  • 23
Rob Nicholson
  • 1,678
  • 8
  • 27
  • 53
  • we have not but I've been pushing for long "easier to remember" passphrases for a while now at my firm. – Jordan W. Feb 13 '12 at 15:49
  • I'd push this over to the IT Security Stack Exchange site (http://security.stackexchange.com/). You're going to have more experts in the security field weigh-in there. – Evan Anderson Feb 13 '12 at 15:58
  • Only problem I'd see is potential incompatibilities with certain workstation implementations, things like that... – Bart Silverstrim Feb 13 '12 at 16:02
  • 2
    http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase – user9517 Feb 13 '12 at 16:15
  • its funny but we see more and more scanners not trying to hack the password they are trying to hack the username, with a single commonly used pw. – tony roth Feb 14 '12 at 01:45
  • Should you *truly* be interested in password policies beyond what AD offers, you'll be looking at using different [Password Filters](http://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx). You may, of course, code your own, or purchase third-party modules. – jscott Feb 22 '12 at 01:16

2 Answers2

2

Yes. You will run into problems with PCI audits and Federal audits if you have Federal customers, and other types of auditors.

Even though an easy-to-remember password that is 32 characters long may be technically more secure, the auditors don't care - they just have policies that require certain password complexity requirements and they will get on your case if you deviate.

For instance, my company has an auditor that explicitly mandates that the standard out of the box Active Directory (2008R2) password complexity requirements are used. Those password complexity requirements include caps, special characters, etc.

edit: So in the meantime until that paradigm shift of password complexity occurs, encourage your users to use a good password management program like KeePass or LastPass or whatever.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
1

A properly written sentence passes the Windows AD Password Complexity setting. "I love my dog Barney." has three character types, which is what Windows wants (at least). It obviously passes the length requirement. So, "pass-phrases" can easily comply with AD password policies.

You can't technically enforce pass-phrases, so it's really a culture change you have to advocate for with your users. Send out informational emails to them educating them on how to use pass-phrases vs. passwords and then tell them you're going to increase the min to 10 but they can use pass-phrases to make life easier... just as an example.

This debate is not new and I was sold on them in 2004 by Jason Fossen of SANS fame with the wonderful Password Cracking Analysis Spreadsheet.

Bret Fisher
  • 3,963
  • 2
  • 20
  • 25