Security

Help users create complex passwords that are easy to remember

Passwords are only as good as the policy that enforces their use. That's why it's imperative that organizations employ a written password policy -- and that they take steps to enforce it. Find out more about creating an effective password policy, and learn a trick to share with users for creating strong, complex passwords.

While most end users understand the importance of using passwords to secure corporate systems and data, they don't always know how to create a strong password. That's why it's just as important to create a strong password policy in your organization. Remember: Passwords are only as good as the policy that enforces their use.

By default, Windows disables the password filter in the Default Domain Group Policy Object (GPO) and in the local security policy of workstations and servers. That's one more reason why it's imperative that organizations employ a written password policy -- and that they take steps to enforce it.

For example, if your company's password policy only requires a minimum of six characters and doesn't require complexity (i.e., a combination of uppercase and lowercase characters, digits, and/or nonalphanumeric characters), then you've got a pretty weak policy. That means most users will use passwords that are easy to crack through either brute force or social engineering.

How do you make sure your users create strong passwords that hackers can't easily guess? Your first step is to enable the password filter in the GPO or on local stand-alone workstations and servers. To find the password filter, go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy in the Group Policy MMC in the Default Domain policy. After enabling the password filter, you can start creating an effective password policy for your users.

Craft a strong password policy

Let's look at some best practices for effective password policies. Most organizations require users' passwords to have a minimum of eight characters. They also specify that passwords must meet at least three of the four complexity requirements -- uppercase letters, lowercase letters, numbers, and nonalphanumeric characters.

Organizations should also configure the password history to remember the last 24 passwords, which is the maximum setting. This virtually ensures that users won't reuse passwords.

In addition, you should set the minimum and maximum age of the password to an appropriate level. I recommend setting a maximum age of 180 days and a minimum age of 90 days. This prevent users from cycling through passwords until they can return to the one they want.

Put your policy in action -- and enforce it

It's smart to establish a good password policy in your organization, but it's even more important to actually enforce it. A strong policy that no one has to follow doesn't add any more security than no policy at all.

In addition, it's important to remember that a good password policy doesn't work if users have to write down their password because it's so complex. That only transfers the security risk instead of mitigating it.

So how can you make sure users' passwords are complicated enough to deter hackers and easier enough to remember? One of my colleagues offers the following trick for creating complex passwords that meet complexity requirements while still being possible to remember.

Step 1: Come up with a base word

Pick the name of a pet or any common thing that's easy to remember. For example, say you once lived in Louisville. You can use that to establish the base of your password and satisfy the required criteria for a strong password.

Remember: You need at least one capital letter and either a number or special character. So, using Louisville as your base word, you can substitute an ! or 1 for i and replace the s with $ -- e.g., Lou1$ville or L0u!$ville.

Step 2: Add more characters to the base word

Pick any four characters to add to the base word.

Step 3: Store your password without worry

Now, write down the added four characters, along with a clue for the base word. Using our previous example, you would write down city1xyza, where city1 signifies Louisville with a 1 and $ and xyza represents the four additional characters.

So, even written down, this password reference would serve as a reminder of your complete password while revealing nothing to any roaming eyes. (Keep in mind that this example is a 14-character password. While that may be longer than the actual requirement, it may be easier to remember.)

Final thoughts

Password policies only work if you turn them on. Make sure you've trained your users on how to create complex passwords that they can remember without leaving a paper trail that prying eyes can easily follow.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems

76 comments
DelphiniumEve
DelphiniumEve

I *had* a set of rules that I had been using until I joined my most recent employer. I can no longer use them. They have extra stated requirements though most systems cannot enforce them...'the user must comply.' Add to that we still have systems that will only accept 8 character passwords and they are *trying* elsewhere in the organization to implement SSO. With the complex maze of systems that do not play well with each other as well as systems with different requirements and 90 day expirations for some systems and 30 day expirations for others - even personal password management is a nightmare. I know why our employees resist password security. We have had so much 'federated' management and growth, we have created a monster and no one really seems to give a d@mn. Can you tell I am frustrated?

Phil.J.Hayes
Phil.J.Hayes

I like 2 small words of 4 to 6 characters each, something like "Dogs and cats". Using the same method you use above it would become D0g5&C@t$. Note that the "S" is converted to a 5 or a $. When the password expires chance the 5 to a 6 or some other character. Most people sound the password in their heads as they type. The trick is to say the character but type something else. After a while it becomes automatic and the fingers just do it for you. In my example there are 2 upper case, 2 lower case 2 numbers and 3 special characters. What's your password? Its simple dog and cats.

RFink
RFink

Passwords are only half of the equation. Most companies use the user's name or a form if it for the user ID. Example rfink, rfink01, etc. EDS has the right idea, use randomly generated IDs. When I worked for them my IDs ranged from j8s8oj to pzdf8v. They have multiple systems for generating IDs. After two days the average user will remember that.

RFink
RFink

Personally I like passwords like: !z2x#c$v Create a pattern on the keyboard, hit the shift key a few times, throw in a CTRL key and you're golden. EDITED -- Typo

greg.hruby
greg.hruby

the password systems generally fail because it is attempting to have humans behave consistently - and we don't. that being said, other methodologies should be improved - how something simpy stupid like - have an automated string of characters float past on the login screen - then the user can only login after their trigger-character or phrase goes past. the password can be as weak as you like, but if you key it in at the wrong time , no go. You could have the screen flash colors or pictures just as easily. AND - you can have a trigger picture/phrase that the user can login after for "coerced logins" - as a security feature. I think the current strong passwords are more annoying than effective in a general population of users and a source of make-work for IT staff. and yeah - the 90-day rule for rolling passwords - stop that one now.

ezeze5000
ezeze5000

How about this: Irdl2wf52way I really don't like to work for 52 weeks a year. You can use pretty much any phrase that is easy for you to remember. I'm sure you can come up with some good ones. That's my 2 cents worth.

jdgressett
jdgressett

It helps to know an obscure, unusual language. I can speak Gaelic, and my passwords are Gaelic sentences. An example - "MacDonald is learning" becomes (with spaces removed) "Thaandomhnallachagionnsachadh"

anne.lear
anne.lear

drawer or under the keyboard. You have to take psycholgy into account also, and these recommendations are a good example of a password policy that will lead to less security, not more

sspinola
sspinola

The author offers a great way to mitigate the "sticky note" problem caused by many strong password policies. The problem I always have with strong password policies is that the creators of the policies never seem to consider the law of unintended consequences which, in this case, suggests: If you require a password that is too difficult to remember, users will simply write it on a sticky note and stick it on their monitors. I tend to be pretty anal about my passwords, so I currently use passwords culled from a random password generator and simply select one that is phonetically easy for me to remember. For example, I just generated a list of passwords at http://www.pctools.com/guides/password/. one of the results was sted9uma which I find to be reasonably pronounceable ("sted-9-you-ma"). To that base I would consistently add, as needed, a symbol at the end and a cap letter at the beginning or end. These two tricks allow me to use essentially the same password in all cases. I just modify the base password for each situation. Additional password systems similar to the author's could depend on the user's interests. History buffs might use the last names of the US presidents and the dates of their elections. Sports fans might use the last names of their favorite team's players followed by their uniform numbers. The possibilities continue with albums, books, or movies and their release dates, actors or musicians and their birthdays, etc.

ANARCHYMM
ANARCHYMM

Many users know at least some words of another language. Advise to mix and combine words from different languages, with someone's phone number part. Substitute the - with a different symbol. Easy to type and remember and long and secure. (Should make it over 16 characters easily).

Larry the Security Guy
Larry the Security Guy

When I was an ISP monkey I used a method given to me by a coworker for maintaining multiple passwords that change frequently: I started with a word, a list of systems, a multiplicand, an addend and a random value. To the positional value of the system on the list, apply the multiplicand and addend. In your seed word, count over (left or right) that number of characters and then insert your random value. For example: Seed word: Louisville Multiplicand: 2 Addend: 1 Random Value: 14 Direction: right For the second system on the list, the equation is 2 x 2 + 1 = 5. Count from left to right five places in the seed word and insert 14, thus: Louis14ville I posted the list on my monitor. The seed word and numbers (except for the random value) happened to exist in an important email that didn't look out of place on my cube wall (page x of y, it turns out, seemed a pretty good place to hide two small numbers). And I committted the random value to memory. When one password expires, I generally changed all of them so I only had to remember one random value at a time. After a year I'd change everything. Of course, I now work where security is tighter, the commodity more valuable, and we use two-factor auth.

speculatrix
speculatrix

one problem I used to have was reusing passwords across websites, having three levels of security (from don't care if someone knows to top security online banking codes)... it just became too complex. now I use supergenpass - http://supergenpass.com/ which is basically a javascript password generator that creates a unique password for every website.

gdunn
gdunn

There are two reasons for password security. One is to keep your co-worker / kids / others with routine physical access to your computer or network device from logging in as you. This password has to be "good enough" but is the one that often gets written down when admins make the password requirements too complex. Brute force attacks are done when the bad guy gets access to the security credential repository, which usually means the security staff failed in their job. Complex passwords provide one level of protection, but create another security risk (sticky notes on the monitor or under the keyboard). The two risks must be balanced.

James Brown
James Brown

Start by reading Bruce Schneier's blog article "Choosing Secure Passwords" from January 2007. I'm including the link but if it doesn't make it go to SCHNEIER-DOT-COM and search the blog for the title above. You can also search Bruce's blog for 'password' or 'password security' and find additional articles. http://www.schneier.com/blog/archives/2007/01/choosing_secure.html Here's a quote from the above article ... "According to Eric Thompson of AccessData, a typical password consists of a root plus an appendage. A root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time). "So the first attack PRTK [AccessData's Password Recovery Toolkit] performs is to test a dictionary of about 1,000 common passwords, things like "letmein," "password," "123456" and so on. Then it tests them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!" and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations." On some Microsoft products, PRTK can guess upwards of 350,000 passwords PER SECOND! That means that the passwords that match the easy 100,000 combinations (which, by the way, is EXACTLY what the author has proposed you use as your 'secure' password policy) will get guessed in about 1/3 of a second! Wow, that doesn't sound too secure to me! Besides the obvious advice in Bruce's article (which refutes pretty much all the suggestions in this article, using hard data from the real world) I also have some comments about password change timeouts. The author suggests setting password minimum and maximum age at 90 and 180 days. If you are foolish enough to do this, what is the user supposed to do if they feel that their password has been compromised? You just forced them to wait an additional 60 days (or whatever is left in the minimum) before they can change their password. Kind of a bad situation isn't it? What we really want is a way to prevent users from cycling passwords, right? Easy enough, the system should only remember the password if it has been used for more than 'x' days (NetWare uses this model). This doesn't prevent the user from changing the password during this period, the system just wont "count" that password as having been used. Another excellent suggestion for system admins who are "in harms way" (in other words, in TRUE high-security environments) is to grab several good, commercial password crackers and run them regularly on the entire system. Any password that fails the test (is discovered by the cracker in some reasonable amount of time) should be changed. This should be run regularly as a cron job with results (good or bad) mailed to the admin. One last suggestion (included in Bruce's blog) is to have users use a secure password storage vault such as PasswordSafe or others. Obviously they need a secure password to the vault, but that's another story ... Thanks, - James

zbatia
zbatia

I have posted my answer here: securecyber.blogspot.com with better idea (I guess). I'd appreciate any comments.

TonytheTiger
TonytheTiger

remembering the last "x" number of passwords?

dnelsonwc
dnelsonwc

I tell my users that no dictionary words are allowed, even if broken up, unless mutated by numbers or special characters. So sleep2nite wouldn't fly, but sl#ep2n1te would.

ejhonda
ejhonda

If you're going to take on the effort of changing your company's mindset on password security, you might as well make the effort worthwhile. This is a great topic, but the suggestions here are weak sauce. These password tips, at least from a Windows perspective and beyond the "do not write it down" portion, do nothing to effectively protect your passwords or strengthen overall security. As long as your Windows environment allows LanMan hashing of passwords, most passwords, even those following the guidelines offered in this article here, can be cracked in SECONDS or minutes at the most. What's the difference if the passwords "password" and "p4$$W0rD3" can BOTH be cracked in less than a few minutes? Are you really safer because the more complex password took 8 minutes to crack while the simple one took 1 second? At a bare minimum, shops should be eliminating LanMan hashing of their passwords and be moving to passphrases of at least 15 characters in length or more. Taking away LanMan hashes from being stored in the SAM will remove a lot of password cracking tools from a hacker's arsenal, but not all.

zbatia
zbatia

Those who create the brute force software know all your tricks and will include them for sure. 5=S or a=@ or O=0, etc. The same story is with UPPER CASE/lower case. All these combinations are LAREADY inlcuded into the brute force software. It may be just will take several minutes longer than otherwise to break the password.

jims04
jims04

See my post with a subject of phrases at 10:54. Like you I also use the concept of phrases but instead take some combination of letters from each word in the phrase. With this technique I never have a recognizable word in my password. I have used this technique to remember passwords up to 26 characters long. Not sure if having recognizable words in a password that is 16 characters long is any less secure than having completely random characters but it makes me feel better not having any. I read somewhere where they showed that by combining a certain 3 word phrase could get you in trouble by actually generating a very recognizable word. The phrase was "to get her" which when combined became "together". For very secure websites that I visit like banking I actually use Password Maker and have it generate a password for each site.

elgeebar
elgeebar

or passwords again and again when the policy expires their current one! Keep "x" high.

robo_dev
robo_dev

For most systems it's impossible to test, so you must balance ease-of-use with complexity. Do you do inspections for written-down passwords? we do. You have to consider what the threat environment is. For a windows workstation in a locked office, what is the real risk? Now if that's your external bank website login, or your encrpytion password for that laptop you leave on the front seat of your car....that's another story.

salmonslayer
salmonslayer

Even Bruce Schneier has been quoted as saying that people might as well write their passwords down, as without the context (ie username), a password by itself is not worth much. Other security mavens have stated that it is better to have a strong password for a year than a series of weaker passwords. Why not take these and expand them into a simple (and inexpensive) two-factor authentication method? In this method, a random password would be generated and put onto a card. This random password will be half of the actual complete password. The second half (or first half) of the password will be something the client can easily remember. In order to log in, the client will need to type in the password part from the card in addition to their own password part to form the complete password. The card, by itself, is useless and the client will be less likely to write down the first part of the password. The client will also not be able to log in without the card (unless they have a good memory), and if they lose the card, a new one can be quickly generated. The primary drawback to this system is that it is a little more labour-intensive, as the client must be present in order for the second part of the password to be entered. However, it is inexpensive and quite effective.

kburmaster
kburmaster

One of the things I remind my users of is that a phrase is much easier to remember and much harder to crack than any single word, and I've upped the minimum number of characters so that it is very difficult for them to use single words anyway. I also only make them change it twice a year, so that they don't have to remember something new every month, or couple of months, or have to write it down. Stickittotheman is much easier to remember than L0u!$v!113, and much harder for a dictionary program to crack.

JCitizen
JCitizen

it just adds a few more lines to their cracking dictionary.

zbatia
zbatia

I agree with you on that. Another thing I want to mention is a fingerprint reader. I use one from Microsoft. It helps with 3 things: 1. Quick login to any web site that has a login prompt - just put your finger on a reader screen; 2. Possibly (?) prevents keystrokelogger from logging the keys you have pressed. 3. If you generate a complicated password, it is not necessary to memorize it (the best of the features)!

TonytheTiger
TonytheTiger

how does that protect from hackers? In other words, why would it be insecure to allow the user to simply use two (complex) passwords and alternate between them monthly?

Chinqin
Chinqin

Two-factor Authentication means (Personal Identification Number)PIN+USB TOKEN. OK..,the USB Token, hardware itself is inexpensive, just several dollars or more based on the security level. However, we need to consider what security technology the token application based on. As I know, two-factor authentication is extended from PKI(Public Key Infrastructure) technology, which is to manage keys and certificates. So the user should pay for not only the token, but the certificates from (CA)Certificate Authority and the consultant charge about how to establish a system PKI based. That's quite a large amount. Generally, PKI is suitable for On-line Banking, Government, Public Utility, or enterprises gobally. And what solution is more effective and safe. I think OTP(one time password) is another choice. The users need only to set the server and them distribute the token. Of course, I also agree with Mike Mullins' opinion. This method is suitable for the web need lower security level protected. Thank you, Mike. You way actually can help me remeber the password for several month at least without the note. But Microsoft's ECE web asks me to change the password monthly and no letter and number repeated. Ahh...that's frequent for me. Maybe I need more training :o)

ejhonda
ejhonda

RSA and Authenex can't do it, at least not with a Token+PIN approach (like RSA's SecurID), such as you're describing. Vista throws a real monkey wrench into the equation (who would have guessed that? :) ). They can if you bring certificates into the picture. If you know of a company or product that has solved Windows login and AD integration, please let me know.

elgeebar
elgeebar

For many years I've taken the passphrase approach... To "generate" these I use incorrect mathematical algorithms - which sounds like I'm up my own posterior but hear me out ;-) It actually dead simple... Lets take the phrase "one plus three equals five" as a simple example. Its mathematically incorrect so its hard to predict. As a user its dead easy to remember and as a password its complex/strong when you input as "1Plus2=Five". To give your users a seed so they are not all using the obviously simple examples of this, tell them to make ONE (and only one) of the numbers significant to them (e.g. child's date of birth is 28th June 2006 so use 28) and vary this when they change their password. Also tell them to vary the mathematical operations they use. Finally, increase mathematical complexity for your root/admin accounts e.g. "Square root of forty five divide by the cosine of ninety = pi" input as "2root45/COS90=3.14". Job done.

jims04
jims04

One of the things that I use and advise others, is to come up with a phrase with over 10 words and that contains some numbers. You can then take the first letter from each word, do substitutions, etc. For instance the phrase "I have watched all 6 of the Starwars movies about Luke Skywalker" can generate the password Ihwa6ot$maL$ where I substituted $ for capital S. You can expand this to take the first 2 letters or the first and the last letter of each word. As long as you remember your phrase and what substitutions you used, you can then get your password.

robo_dev
robo_dev

Adding an additional character set adds an order of magnitude to the cracking time. - all letters is very easy - letters and numbers is much much stronger - using letters, numbers, and special characters, even better - upper/lower case, letters, numbers, and special characters is very strong, even at relatively short password lengths. As a start, have users make up passwords that combine letters and words such as go2sleep2nite or close2home. Also, putting a year in there is an easy way to add numbers while making it easy to remember: moonlanding1969. Now throw a ! or a $ or an underscore on the end and you've got a very strong yet easy to remember password. Of course if the password is in a text file on their desktop or on a post-it on the backside of their keyboard, that somewhat nullifies the strong password....

catseverywhere
catseverywhere

agreed. Everyone can come up with a unique phrase. Then substitutions and punctuation add to the complexity. Then I can write down something like this: s=$ i=! h=8 a=1 s=s s=$ a=! e=5 Reading characters as they come up in order, skipping to the next instance when appropriate, the above reminds me the phrase is: Thi$ !s t8e p1s$ phr!s5. Adding the normal convention of sentence structure and punctuation. Crack that. Only problem is one must remember their phrase. cat

JCitizen
JCitizen

mechanism of Windows Policy doesn't work in this area? ?:| We've always set it up like that.

Manitobamike
Manitobamike

Instead of banging our heads against a wall trying to enforce elaborate passwords we should be telling software designers to fix the password entry routines. Everything I have written that requires a password only gives you three chances per 15 minutes. Get three wrong and the program will still accept typing passwords but just ignores them even if the right password is typed until the 15 minute timeout. I would guess this would slow down a brute force cracker to 1 or 2 years to crack an 8 character password.

JCitizen
JCitizen

so I figure that is why they had success. It is good to know someone is building retina scanner that works well. I was always concerned that highresolution camera technology would be able to capture a person's retina image and make nefarious use of it. Your post indicates this isn't a worry; This was what I had confidence in - that todays technology was going to jell. I still don't like anyone having my finger print on file in any form. This and subcutaneous RFID tech are the only technologies I feel should be prevented as a civil rights/privacy issue.

bojan
bojan

Having been into security (alarms, guards and guns one, not IT) business for ten years I happen to know a thing or two about biometrics. Both retinal scanners and fingerprint/handprint scanners in use for alarms and access control systems (not sure about Microsoft/Logitech OEM'd USB pieces you talk about though) expect your blood to flow, your heart to beat and your eyes to twitch in order to accept you. Chopped off finger or a rubber replica and a photo or a hologram-whatever of an eyeball just won't do. It takes a living human being and additional tests for the 'living' bit are made up every day. False positives are already reduced to zero in todays tech by using multiple algos for testing and multipass learning techniques. False negatives are not a big issue since two or three consecutive scans are much easier and MUCH less frustrating for the user than two or three complex passphrase retypes. Did you know that most alarm systems out there use only 4-8 digit numerical passwords, even for data connections? Tho, proprietary (in all senses, from electronics to data format) comm used for these systems, and limited time frame from first attempt to alarm going off if you're not authenticated render brute-force attacks useless. I've seen alarm systems fooled only in action/scifi flicks. In the real world, successful breaches require a gun pointed at the head of someone that can authorize.

JCitizen
JCitizen

of government(or nosey corporations). But, I got to admit I don't worry about recognition tech like this because to me it is not too much different than living in a small town where no matter how much you might like to hide, everyone knows you and recognizes you and probably knows more about your personal life than you care to share. It is more important to me that someone else doesn't pass as me.

catseverywhere
catseverywhere

Spiders. The stuff you see in sci-fi is usually already on the planning table, sometimes already deployed. I just don't want society to devolve into a perpetual identification of you and your whereabouts at every turn. Ever see "Idiocracy?" Notice the whole world is imbecilic and incompetent... BUT the automated total control scan grid still works, and the "authorities" mindlessly service it? Coming soon to a prison planet near you.

JCitizen
JCitizen

however, if they could get the iris scanner to work; I would think well of that. No one can leave my eyeball at the scene of a crime(and do anything damaging). It is actually easy to lift prints and recreate them, I did it when I studied police science in college. TV's mythbusters showed it fairly easy to do without chopping anyone's finger off(which I don't think would work because they become machine unrecognizable after deflation).The particular technique has to be precise; the show illustrates this. Also iris information would be worthless to ID thieves as I can't think of how they could use it against you. The intricasies of the 3D image taken through a lens are extremely difficult if not impossible to copy; only an expensive "Mission Impossible" scientist could do(maybe) Using different scan tech can result in a totally different passcode for the same iris; this eye feature is so intricate. So even if a crook somehow fooled you into looking into something to capture the iris; the code it would generate could not be introduced as a valid bio-metric pass to another data base. Combining this with retina information for confirmation would double the difficulty of recreating the pass. Actually facial recognition is making great strides lately and almost impossible to foil because of detectors that note underlying bone structure.

catseverywhere
catseverywhere

I am under the impression it's relatively easy to defeat the "biometric" kind of 'security.' Especially finger print readers. Worse case someone chops your finger off, if the potential 'reward' is big enough. But way back in the 60's the Mission Impossible team faked finger prints by making a rubber mold. I admit to a bias here: I despise anything that tends toward "biometric" based access of any kind. I see the future of such control in the hands of big brother and it ain't pretty. cat

zbatia
zbatia

When I was learning for my CISSP, I found that there is obviously a problem with a false positive/negative reading when wrong information is being accepted as the right one. To be fair, I have tested only the device that I use myself: Microsoft fingerpring reader (I also had another one that's combined with a wireless mouse but it went dead in two days). I asked several people to try to login to my web sites through the fingerprint reader and none of them was able to login. My other fingers did not log me in either. The only two fingers that were registered with a software made the trick. The software creates a unique and garbled code of the password itself protected with (I believe) 256-bit encryption. You can open the file for each corresponding entry and recognize the web site name but the password is not readable (encrypted). There are more comprehensive software versions to login to domains, but my reader aloows only logging into the web sites if you use the IE-compatible browser. It does not recognize Firefox, so far.

JCitizen
JCitizen

Microsoft USB reader were very encouraging. I didn't look to see what people thought of the reader keyboard.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I hear that finger print readers are prone to false positives and negatives. Have you looked into this at all? Bill

JCitizen
JCitizen

or the monitor in/output or both. I assume your reader is USB? Probably alright for now.

TonytheTiger
TonytheTiger

simply states something like: "to avoid the vulnerabilities associated with password reuse" but doesn't explain what these vulnerabilities are. That's little better than "Because I said so, that's why!" I'm going to start a new thread in the questions section. Maybe the possibility of getting thumbs will get me a real answer :)

NZBN
NZBN

How do you think you are increasing security by forcing users to change their passwords every 30 days?

jeff
jeff

What's with this forced password change every 90 days or 180 days nonsense, most places I've worked stick with the Windows default of every 30 days. As for hackers, surely most of them are going to be outside the organisation. Therefore when 3rd party vendors require remote access to your systems you only enable their accounts for the required period and immediately disable them when they're finished. For both remote workers and 3rd party vendors you can also employ RSA Secure ID tokens to validate their VPN access through the firewall. Firewall access can be further locked down by only permitting known IP addresses through. As for internal attempts to gain access, one of the easiest ways to help prevent this is to invoke the policy to clear the username field at each logoff, this then needs to be manually entered every time, this also ensures that the user will remember their username (how many times have I had problems trying to reset a user's password because they've forgotten their username?!?)

NZBN
NZBN

changing a password every 90 days or 180 days is no more secure than keeping the same password for a full year. What happens when a user has to change their password? I'll tell you what happens, they change one letter or number so rather than leetspeak1 it becomes leetspeak2 - no more secure, and if the hacker already has the password and they go oh no the password has changed what are they going to try? Yup you guessed it the next number up the stack. Hackers arn't stupid so I have no idea why so many users are forced to use "stupid" practices such as change your password every 90 or 180 days. It serves no purpose but to lessen security.

Chinqin
Chinqin

Seems DTS has the function to solve Windows login. You can check.

JCitizen
JCitizen

but I am willing to bite it on the viablility for such policy to actually work for most organizations. Perhaps fingerprint password management for passwords is the answer; I notice the Microsoft USB units are getting very affordable now.. (EDITED) I've now seen face recognitions software that seems very reliable on demo.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

My boss always messes his pass phrase up at least once when he is logging in. It takes him from 15 to 30 seconds to get his screen unlocked. He is a competent typist so I have to disagree with your logic. Bill

JCitizen
JCitizen

given organization. In the organization I was contracted to, all clients had to have keyboard proficiency. But you right anyway; we used to find their passwords pasted under their keyboards, or on the monitor, and had to watch the policy like a hawk to keep it going.

ejhonda
ejhonda

The challenge is typing w/o being able to see what you're typing. Many users find it difficult to remember where in the phrase they are if they pick a phrase that's long and has some upper and lower case in them, as well as a number or special character. Most people aren't the greatest typists, and will experience problems. It's like trying to bang out an entire sentence without looking or errors. Most people can type 3 or 4 words without issue, but the longer the string, the more likely an error will creep in.

JCitizen
JCitizen

the new password quickly. It only takes a second and a half to type a fairly long phrase.

ejhonda
ejhonda

If you're following a holistic approach to security, then you've probably got a group policy specifying desktop locking after so many minutes of inactivity. If you have to type half a paragraph to unlock your desktop each time you need to get to it, you're going to hate that long passphrase you chose.

ejhonda
ejhonda

Disclaimer: I'm no hashing or SAM (Security Accounts Manager - where Windows stores the hashes for users' passwords) expert, so please forgive my clumsiness in these descriptions. These are courtesy of Canaudit, who did some excellent pen testing for us... Make sure your passphrase is at least 15 characters or more. This will do 2 things: 1) Prevent the storage of your password in the SAM from getting padded out to 14 characters with nulls. Your password will be stored in 2 ASCII words - 14 bytes - no matter what its actual length is. Windows will just pad out your password to meet the 14 char minimum length needed for storage of its hash value. If I know that passwords are padded out with nulls, and I see the last few hash values are the same at the end of the 2nd ASCII word of your password hash, then I can probably assume those are nulls. Now all I have to figure out is what value used to hash a null will produce that specific hash value. Once I have that, I can then decrypt the rest of the character's hash values. By going 14 or more characters, I've prevented a known value - a null - from being appended to the end of my password when it's hashed and stored in the SAM. 2)At least with Win2K, and probably with newer versions of Windows, using at least 15 characters would prevent LanMan hash values from being generated and stored for your password in the SAM. LanMan hashes are much easier to brute force than NTLM hashes, so take away the low-hanging fruit for the password cracker by making the password at least 15 characters in length. Of course if your admins are on top of security, and you have a native Windows AD, and you aren't supporting some ancient app on your network that might rely on the older LanMan hash, the network admins can simply disable LanMan hashing and increase the difficulty of brute forcing your network's SAM. NOTE: Even if you take due diligence and follow all the best advice, Windows can still betray you. Our pen testers were able to grab a 17 character passphrase used by one of our network admins by scanning the LSA Secrets area of Windows. What killed me is Windows stored this passphrase in there in THE CLEAR! It was at that point where I really started to understand the beef against Microsoft and their security.