18

Has anyone got any resources for determining a reasonable password policy for my users? My personal leaning is to ratchet up password complexity and allow them to change them less often as a kind of compromise. It seems that my average user has a higher tolerance for mixing in some numbers and special characters than they had 5 or 10 years ago.

I'm looking for rules of thumb and/or resources I can use to back up my proposed policy changes. Or even anecdotal info from those with more experience.

(I'm far from a security guru, so if that's just to vague to deal with, let's narrow the question to apply just to internal Windows networking passwords, though I'd be interested in what people are doing in terms of VPN and web service policy)

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
  • Can you tell us more about the software environment you need to tailor this to? Windows, *nix, Plan9 ... ??? – quux Jun 06 '09 at 13:13
  • More a policy question than technology-specific. Probably borders on a religious discussion to get into whether you'd need a different policy for windows vs. *nix boxes? ;) – Kara Marfia Jun 06 '09 at 13:21

9 Answers9

20

In today's world of random brute-force password attacks, I tend to agree with the statement that: a good password written down is better than a memorized password that is easy to guess

Brent
  • 22,219
  • 19
  • 68
  • 102
  • 1
    You have forgotten: ...written down and kept at a secret place. No, putting it under the keyboard does not count ;-) – John Smithers May 04 '09 at 19:44
  • 2
    Actually, I WOULD INCLUDE "written down and taped to the monitor in plain sight" - simply because so many attacks come remotely, that a poor password is a MUCH greater risk. – Brent May 04 '09 at 22:54
  • 2
    For people that keep forgetting their passwords then I would recommend that if they have to write it down then they do so and put it in their wallet or purse. People don't tend to leave those lying around and also notice if they have disappeared ;) – Nathan May 20 '09 at 16:39
  • Obviously written down and kept hidden is better. Nathan has a good suggestion. – Brent May 20 '09 at 22:02
  • 4
    No, no. You write down the correct password and store it in your wallet, then write down the wrong password and stick it under your keyboard. If you find your account locked out, call your security personnel. – romandas Aug 07 '09 at 22:49
  • 1
    Whenever I write down a password I make a practice of adding a couple of characters to the beginning and end. I know they are extra, but anyone else wouldn't. I guess this wouldn't work so well with dictionary words though. – Brent Aug 08 '09 at 15:31
10

Here's a good comparison of password strength:

http://www.lockdown.co.uk/?pg=combi

Scott
  • 1,173
  • 3
  • 13
  • 25
  • Why is this getting voted down? Seems to me this is what the asker was wanting. – Scott May 04 '09 at 22:11
  • Since it's exactly the kind of information I was looking for, maybe my question was flawed? I'm guessing people object to bare-hyperlink answers, but I'm not sure what else needed to be said. – Kara Marfia May 05 '09 at 13:21
  • Could you please write something about the link into your answer, for example why you think this link is a good read regarding the question? – Sam Jul 01 '09 at 09:15
9

You're doing the right thing by considering what your users are willing to work with. If you force highly complex passwords that must change frequently, you'll find your post-it note consumption will skyrocket.

  • +1 to get Jon's rep off of "666" ;-) – tomjedrz May 04 '09 at 19:33
  • @tomjerdz: thanks. I did take a screenshot, though ;) –  May 04 '09 at 19:35
  • that's what my employer does now: 60 days, "3-of-4", and no repeats in the last 24. So everybody comes-up with easy-to-remember "variations on a theme". Not nearly as "secure" as it should be, sadly. – warren Sep 25 '09 at 09:52
6

There's a sensible contribution to this topic from Gene Spafford at Purdue's CERIAS. Here's a partial quote:

So where did the “change passwords once a month” dictum come from? Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their “best practice” that they expected. It also got written into several lists of security recommendations.

This is DESPITE the fact that any reasonable analysis shows that a monthly password change has little or no end impact on improving security!
It is a “best practice” based on experience 30 years ago with non-networked mainframes in a DoD environment—hardly a match for today’s systems, especially in academia!

Liudvikas Bukys
  • 213
  • 3
  • 10
4

I'm much more in favour of longer password (which, realistically, means as in multi-word phrases in you're going to remember them) instead of mixing in words and numbers. If you force people to add numbers, they're more likely to do simple things like replace i with 1 etc. which doesn't gain you very much security.

http://www.iusmentis.com/security/passphrasefaq/

Wilka
  • 183
  • 2
  • 9
4

There are tons on material on Password Policies. I recommend taking a look at

Now, something must be said about password sanity. The fact is that password that are hard to remember are written down. The same goes for passwords that must be changed too often. The bottom line, it depends on what you're protecting and your userbase.

3

The policy should reflect what the users are using the computers for, how sensitive information the user handle on it. If it is just to contain the users preferences you do not really need it heavily fortified if everything else is in place to repel attacks. If the opposite is the case I would rather have annoyed users moaning about complex passwords to remember.

I have about 20-some complex passwords in my head at all times, and I have started creating them using patterns on the keyboard to remember them by. It makes it easier as I only need to know the starting point and what kind of pattern to make. Everybody hates changing passwords, but this technique allows me to change them around easily and remember them, so security is tight.. for me at least. I can even note down one letter on a piece of paper and still recall what pattern to make, and I don't really remember things too well. If this has any use for anyone however.. I don't know.

Writing down a complex password without obfuscating it seems just wrong to me. If someone is trying to break into a computer physically you can be sure they will look for some tell-tale.

The Fairy
  • 29
  • 2
1

I believe, when I worked for a healthcare institution, that some of our requirements came from HIPAA. I haven't looked at the SOX regs (which I guess I now adhere to in the insurance world), but they may have some similar language as a basis for this sort of thing.

Beyond that, if you're part of a larger IT organization (sub-division in a larger corporation) the corporation may have rules that could be adhered to.

Bottom line needs to be that, whatever policy gets implemented, it be blessed by senior management, and preferably written up in a security or IT policy that all staff need to be made aware of/adhere to. It doesn't need to be draconian (change password every 180 days, combination of alpha and numerics), but it should be company policy so everyone is crystal clear on the requirement.

Milner
  • 935
  • 7
  • 17
0

Been some good suggestions so I'm just going to add this:

As long as you're able to make sure that you can be exempt from the policy... I have a good memory, so personally I prefer to be able to use a 18 character password that's ridiculously complex for 6 months or more than a simple one that I have to change once a month.

Keep in mind that a 16 character password that uses only lowercase and uppercase letters and spaces gives 53^16 combinations or 3.876*10^27, whereas 10 character passwords that use lowercase and uppercase letters, numbers and symbols only gives 95^10 or 5.987*10^19.

teh dave
  • 21
  • 2