Hi All,

Wasn't sure if this belonged in the regulatory and compliance section as it is more geared to best practices.

I'm looking for information to support our current password policy. Specifically best practices on local administrator accounts, service accounts, etc. Practical stuff on expiration dates, the sharing of, archiving old expired passwords or anything along those lines.

Does anyone have suggestions or links they can recommend? I can provide more info if you need it.

thanks for reading,

Here is a Sans link to their policies page, some good stuff in there regarding policies.
http://www.sans.org/security-resources/policies/

Regarding best practices here is a link to the NIST National Checklist Program which has some "checklist" style guides on recommended configuration of different OS's.
http://web.nvd.nist.gov/view/ncp/repository

Password policies are great examples of security vs. usability. Just remember a strong password policy might result in increased help desk calls, and general frustration of the administrator(s). The best password policy is one that you stick to and not make "exceptions" for the boss's son.

Microsoft did a great study on passwords, rotation, and complexity.
http://research.microsoft.com/apps/pubs/?id=74164

In short, the more often a password was rotated, the less complexity users employed. My push has been to require much more complex passwords passphrases and rotate them yearly (not every 90 days).

As for service accounts and other non-user accounts. Always keep them at least 15 characters. That way it prevents the cryptographic weakness in Windows Lan Manager from even being an issue.

I am a big fan of passphrases. Easy to remember and don't need to be changed as often. I like to pitch it to clients as a cost savings for their help desk with the decrease in passwords resets needed.

My only caution would be that changing once a year might leave you susceptible to other forms of attack that frequently changing your passwords help defend against (i.e. social engineering).

Depending on the regulatory environment, some of this stuff may be decided for you though.

Ahh the age old problem that every IT department faces, passwords.  The complexity requirements at my current place of employment are I'm sure the bane of the helpdesk.  I'd love to go to passphrase's however I'm sure we wouldn't be able to due to the strict gov regs that companies in my industry face.  We are actually looking at beefing up secuirty even further by utilizing CAC card's in addition to our normal password complexity requirments.  One thing I'm currently working on is getting the ISO to make all the Domain Admins use two seperate accounts.  One with User level rights for day to day stuff and the other a unique domain admin accout to use for any work that requires elevated permissions.  I myself have been working this way for about 6 mo. at first it was difficult but you quickly adapt to creating short cuts with runas in the target path.  I've taken to documenting cases where users have their passwords written down.  God one of our users who handles finances had a file called Passwords.xls out on a freaking network share that was accessable to everyone.