3

I am a new Junior IT Manager in a small company of around 500 employees and the current policy regarding passwords has enforced password expiration within 30 days, with a password history of 5.

As you can understand, this leads to people having passwords like January16 and the like, passwords on sticky notes on their screens blah blah blah... The usual when it comes down to these policies.

What would be ideal as far as I can tell would be a 10 character length password with capitals, small letters numbers and symbols.

Since I presume there are people in here that are security auditors, and also others that have way more experience on these matters, I ask you this.

What can I present to the auditors next time they come around, so that they would allow us to change the policy for password expiration to 1 year?

Off the top of my head I would provide them data regarding the strengths of a long and complex password, as well as data from brute-force password retrieval apps in regards to how many p/s they can achieve with state of the art hardware, as well as a script that will run once every day to show if there are any new accounts in AD that have been created to work as a security measure in case someone does manage to break in to the network and create their own account.

Any assistance will be much appreciated.

Andrew Palaistras
  • 33
  • 2
  • 5
    Just a small point: Auditors check that a particular set of controls is in place. They are not usually the ones who set policy, they only check that the policy is being followed. You should determine who _does_ set the security policy, and speak directly to them. – Michael Hampton Jan 14 '16 at 16:30
  • Maybe search the web for more supporting arguments before beginning the conversation. – Paul Jan 14 '16 at 16:38
  • 2
    In my experience monthly password changes are pretty standard, yearly password changes are unheard of. – Clayton Jan 14 '16 at 18:57
  • 1
    One other item of importance: Are there any regulatory bodies (PCI-DSS, HIPAA, etc) in play that dictate this password policy? – Tim Brigham Jan 14 '16 at 19:23

1 Answers1

5

The first thing that I would do is find out who actually sets the security policy. That info in-hand, sit down and talk with them. Ask what the goals of the security policy are, what is hoped to gain from it, and how the current policies achieve that goal. The most important part of this is that you listen to their answers.

There are probably more secure means to achieve your aims. First, having more characters trumps upper/lower/number/special-char requirements. https://xkcd.com/936/ and https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength should be sufficient primer.

Even more secure is using 2FA in place of straight passwords.

As mentioned, having a frequent password change will lead to an increase of forgotten / mistyped passwords. This will manifest in an increase in password-related calls to the helpdesk, or increases in written or predictable passwords.

The most important part of this conversation is to understand the goals, understand how the current policies are thought to meet those goals, and to work with your teammates (remember, it's all one company...) by avoiding being confrontational or insulting.

gWaldo
  • 11,887
  • 8
  • 41
  • 68