General discussion


Dumb idea

By zlitocook ·
The company I work for has had the great idea to enforce a 30 day password change. That dose not sounds so bad but it is a change that includes a 14 character password with the user has to have one special character and two letters and one number. Well the people on my network have problems logging in to the network as it is.
With this policy it will guarantee that the users will keep passwords in a place where they can find them.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Enforcing a password change and strong password policy is good

by mjwx In reply to Dumb idea

But this is just ****. 8-10 characters minimum with three non alpha (capitals included) characters should be more than sufficient to change on a 4 or 6 week basis.

Users complain enough about that.

Collapse -

You know it makes me laugh

by j.lupo In reply to Enforcing a password chan ...

because the only ones they are keeping out of the system are the users.

Collapse -

I disagree

by Watzman In reply to Enforcing a password chan ...

Mandatory Password changes are a double edge sword, and can decrease security. I have a couple of passwords that I use which are not words and that have both letters and numbers, and no one knows them and they are not written down (ANYWHERE). But faced with a "change it monthly" decree, I pick a word the the numbers 1 to 12 at the end and it gets written down. Security has not been enhanced, it has suffered. There is a strong argument that the password has been changed when I think that someone else might have discovered it, which is almost never since I never give it out to anyone, no one else knows it, and it's not written down.

Collapse -

Make it even stronger

by StephenCairns In reply to I disagree

worked at a place that had a fixed size od password, had to contain characters and numbers and could not contain more than 3 characters from the previous password. that would defeat you leading and ending number change. we use to phone the helpdesk every monday to get our passwords reset because we'd changed them on friday nd could not remember them.

Collapse -

Way to keep same passwod

by t_edwan In reply to Make it even stronger

We had a stupid system that doesn't let you change your password into any password that is the same as the three last passwords to keep your password change it 3 times into different passwords and after that change it to your old one that always worked for me.

Collapse -

except if you put a minimum age

by yannick In reply to Way to keep same passwod

That way you won't be able to change your password before whatever days have passed, usually one day is enough.
of course that does not solve the problem of the users forgetting their password or writing them down. It all depends of which system you are protecting and what are the risks. Also you have to educate your users and give them tips on making easy to remember passwords. And of course let them understand why they need to have strong passwords.

Collapse -

Research Data

by scminter In reply to except if you put a minim ...

Does anyone know of any research into the effect of password policies on security?

This all seems to be pretty much a guessing game. Everyone agrees that if you make the users change their password too often (such as hourly), security will not be enhance but rather lessened. If you never have them change the password security is not enhanced. Where is the sweet spot?

I have never seen research to support the number of days that increase security without overburdening the users...have you?

Collapse -

yeah and...

by shardeth-15902278 In reply to Research Data

Has anyone heard of a breach that was in fact due to password guessing? This seems to get all the attention, but all the attacks that I am aware of were social engineering based, and as such, password strength doesn't matter one iota.

Collapse -

Research on policies affecting security

by dbmarts In reply to Research Data

Some years ago I recall seeing a study from either a major vendor (maybe IBM?) or one of the big IT consulting shops that discussed in depth the effect on security of overly stringent password policies. It addressed many of the topics in this discussion, including the increased temptation to write down passwords when they have to be changed too often and the repeat restriction is too high.

Has anyone else out there seen that study or have a link to something comparable that is available to help justify policies that have the right balance?

Collapse -

math problem...mostly....

by shardeth-15902278 In reply to Research Data

Actually, I put together a spreadsheet to help evaluate password risk, and the effects of various changes (max age, min length, lockout threshold, lockout duration.

I also tried to factor in the basic social engineering factor the the majority of passwords are going to be a dictionary word(or words) of appropriate length.with our without complexity. I am sure there are areaa where it could be improved to provide more accurate results.

Anyway, playing around with the numbers, if you account for the above mentioned social engineering factor, is only better than an all-lowercase password of same length, by a factor of 10. Decreasing max age from 90 to 30 days is only a single order of magnitude as well. If you really want to Strengthen your passwords. Increasing the length is what really helps. (ie going from 8 to 10 characters is roughly 3 orders of magnitude stronger).

Related Discussions

Related Forums