Best Practices for Password Policy

This topic contains 9 replies, has 8 voices, and was last updated by  WCNA 8 years, 3 months ago.

  • Author
    Posts
  • #6152
     awhitehatter 
    Participant

    Hi All,

    Wasn’t sure if this belonged in the regulatory and compliance section as it is more geared to best practices.

    I’m looking for information to support our current password policy. Specifically best practices on local administrator accounts, service accounts, etc. Practical stuff on expiration dates, the sharing of, archiving old expired passwords or anything along those lines.

    Does anyone have suggestions or links they can recommend? I can provide more info if you need it.

    thanks for reading,

  • #38468
     cd1zz 
    Participant

    Do you fall under any compliance or government regulations?

  • #38469
     Lubinski 
    Participant

    Here is a Sans link to their policies page, some good stuff in there regarding policies.
    http://www.sans.org/security-resources/policies/

    Regarding best practices here is a link to the NIST National Checklist Program which has some “checklist” style guides on recommended configuration of different OS’s.
    http://web.nvd.nist.gov/view/ncp/repository

    Password policies are great examples of security vs. usability. Just remember a strong password policy might result in increased help desk calls, and general frustration of the administrator(s). The best password policy is one that you stick to and not make “exceptions” for the boss’s son.

  • #38470
     awhitehatter 
    Participant

    @cd1zz wrote:

    Do you fall under any compliance or government regulations?

    CDIZ, we have remote sites that do fall under HIPAA, some state cyber security laws and sometimes NIST SP 800-53. We don’t have a security framework for our overall company at the time being (it’s one of our goals).

    @lubinski wrote:

    Here is a Sans link to their policies page, some good stuff in there regarding policies.
    http://www.sans.org/security-resources/policies/

    Regarding best practices here is a link to the NIST National Checklist Program which has some “checklist” style guides on recommended configuration of different OS’s.
    http://web.nvd.nist.gov/view/ncp/repository

    Password policies are great examples of security vs. usability. Just remember a strong password policy might result in increased help desk calls, and general frustration of the administrator(s). The best password policy is one that you stick to and not make “exceptions” for the boss’s son.

    Thanks for the links Lubinski, I’ll check them out.

  • #38471
     timmedin 
    Participant

    Microsoft did a great study on passwords, rotation, and complexity.
    http://research.microsoft.com/apps/pubs/?id=74164

    In short, the more often a password was rotated, the less complexity users employed. My push has been to require much more complex [s:3qt3c6j4]passwords[/s:3qt3c6j4] passphrases and rotate them yearly (not every 90 days).

    As for service accounts and other non-user accounts. Always keep them at least 15 characters. That way it prevents the cryptographic weakness in Windows Lan Manager from even being an issue.

  • #38472
     cd1zz 
    Participant

    timmedin is right on. Passphrases are the way to go, especially if you can avoid dictionary words. However you dont want passwords so complex that people are leaving sticky notes all over the place. But this is where some education or help to your users will come in nicely.

  • #38473
     jsm725 
    Participant

    I am a big fan of passphrases. Easy to remember and don’t need to be changed as often. I like to pitch it to clients as a cost savings for their help desk with the decrease in passwords resets needed.

    My only caution would be that changing once a year might leave you susceptible to other forms of attack that frequently changing your passwords help defend against (i.e. social engineering).

    Depending on the regulatory environment, some of this stuff may be decided for you though.

  • #38474
     Triban 
    Participant

    I’m another fan of the passphrase.  Definitely the way to go.  As for the local admin and service accounts, since you won’t be changing those as often as the user accounts, use very long passphrases, sentences from books or even history facts tent to work best.  But make them long.  I am currently in the process of having my organization move out of the password arena and into passphrases, sadly I have an ISO that is not very bright and doesn’t get some of these concepts.  Yes I don’t know how he got the job either.  Anyway good luck and if you have some stubborn users, make sure to reiterate the ease of remembering them.  Hell for the ones that like to “secure” them under their keyboard, you can even mention that they can keep the phrase on a sticky note on their monitor and no one might think anything of it “Meeting on Friday!” 

  • #38475
     R3B005t 
    Participant

    Ahh the age old problem that every IT department faces, passwords.  The complexity requirements at my current place of employment are I’m sure the bane of the helpdesk.  I’d love to go to passphrase’s however I’m sure we wouldn’t be able to due to the strict gov regs that companies in my industry face.  We are actually looking at beefing up secuirty even further by utilizing CAC card’s in addition to our normal password complexity requirments.  One thing I’m currently working on is getting the ISO to make all the Domain Admins use two seperate accounts.  One with User level rights for day to day stuff and the other a unique domain admin accout to use for any work that requires elevated permissions.  I myself have been working this way for about 6 mo. at first it was difficult but you quickly adapt to creating short cuts with runas in the target path.  I’ve taken to documenting cases where users have their passwords written down.  God one of our users who handles finances had a file called Passwords.xls out on a freaking network share that was accessable to everyone. 

  • #38476
     WCNA 
    Participant

    I’ll second the opinion that passphrases are the way to go AND I would add… use numbers and special characters in your pass phrase as well.

    Also, you have to be aware of password reuse. (Wasn’t it H.D. Moore that got caught in that recently?…. and HB Gary too)

    I suggest to users to use different phrases for different places such as “Ih82comein2work” (I hate to come into work) for the workplace and “BF!onmywayhomeagain” (which stands for the song Blind Faith- On my way home again), obviously for the home computer password

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?