Best Practices for Password Policy

  • This topic has 9 replies, 8 voices, and was last updated 9 years ago by WCNA.
Viewing 9 reply threads
  • Author
    Posts
    • #6152
      awhitehatter
      Participant

      Hi All,

      Wasn’t sure if this belonged in the regulatory and compliance section as it is more geared to best practices.

      I’m looking for information to support our current password policy. Specifically best practices on local administrator accounts, service accounts, etc. Practical stuff on expiration dates, the sharing of, archiving old expired passwords or anything along those lines.

      Does anyone have suggestions or links they can recommend? I can provide more info if you need it.

      thanks for reading,

    • #38468
      cd1zz
      Participant

      Do you fall under any compliance or government regulations?

    • #38469
      Lubinski
      Participant

      Here is a Sans link to their policies page, some good stuff in there regarding policies.
      http://www.sans.org/security-resources/policies/

      Regarding best practices here is a link to the NIST National Checklist Program which has some “checklist” style guides on recommended configuration of different OS’s.
      http://web.nvd.nist.gov/view/ncp/repository

      Password policies are great examples of security vs. usability. Just remember a strong password policy might result in increased help desk calls, and general frustration of the administrator(s). The best password policy is one that you stick to and not make “exceptions” for the boss’s son.

    • #38470
      awhitehatter
      Participant

      @cd1zz wrote:

      Do you fall under any compliance or government regulations?

      CDIZ, we have remote sites that do fall under HIPAA, some state cyber security laws and sometimes NIST SP 800-53. We don’t have a security framework for our overall company at the time being (it’s one of our goals).

      @Lubinski wrote:

      Here is a Sans link to their policies page, some good stuff in there regarding policies.
      http://www.sans.org/security-resources/policies/

      Regarding best practices here is a link to the NIST National Checklist Program which has some “checklist” style guides on recommended configuration of different OS’s.
      http://web.nvd.nist.gov/view/ncp/repository

      Password policies are great examples of security vs. usability. Just remember a strong password policy might result in increased help desk calls, and general frustration of the administrator(s). The best password policy is one that you stick to and not make “exceptions” for the boss’s son.

      Thanks for the links Lubinski, I’ll check them out.

    • #38471
      timmedin
      Participant

      Microsoft did a great study on passwords, rotation, and complexity.
      http://research.microsoft.com/apps/pubs/?id=74164

      In short, the more often a password was rotated, the less complexity users employed. My push has been to require much more complex [s:3qt3c6j4]passwords[/s:3qt3c6j4] passphrases and rotate them yearly (not every 90 days).

      As for service accounts and other non-user accounts. Always keep them at least 15 characters. That way it prevents the cryptographic weakness in Windows Lan Manager from even being an issue.

    • #38472
      cd1zz
      Participant

      timmedin is right on. Passphrases are the way to go, especially if you can avoid dictionary words. However you dont want passwords so complex that people are leaving sticky notes all over the place. But this is where some education or help to your users will come in nicely.

    • #38473
      jsm725
      Participant

      I am a big fan of passphrases. Easy to remember and don’t need to be changed as often. I like to pitch it to clients as a cost savings for their help desk with the decrease in passwords resets needed.

      My only caution would be that changing once a year might leave you susceptible to other forms of attack that frequently changing your passwords help defend against (i.e. social engineering).

      Depending on the regulatory environment, some of this stuff may be decided for you though.

    • #38474
      Triban
      Participant

      I’m another fan of the passphrase.  Definitely the way to go.  As for the local admin and service accounts, since you won’t be changing those as often as the user accounts, use very long passphrases, sentences from books or even history facts tent to work best.  But make them long.  I am currently in the process of having my organization move out of the password arena and into passphrases, sadly I have an ISO that is not very bright and doesn’t get some of these concepts.  Yes I don’t know how he got the job either.  Anyway good luck and if you have some stubborn users, make sure to reiterate the ease of remembering them.  Hell for the ones that like to “secure” them under their keyboard, you can even mention that they can keep the phrase on a sticky note on their monitor and no one might think anything of it “Meeting on Friday!” 

    • #38475
      R3B005t
      Participant

      Ahh the age old problem that every IT department faces, passwords.  The complexity requirements at my current place of employment are I’m sure the bane of the helpdesk.  I’d love to go to passphrase’s however I’m sure we wouldn’t be able to due to the strict gov regs that companies in my industry face.  We are actually looking at beefing up secuirty even further by utilizing CAC card’s in addition to our normal password complexity requirments.  One thing I’m currently working on is getting the ISO to make all the Domain Admins use two seperate accounts.  One with User level rights for day to day stuff and the other a unique domain admin accout to use for any work that requires elevated permissions.  I myself have been working this way for about 6 mo. at first it was difficult but you quickly adapt to creating short cuts with runas in the target path.  I’ve taken to documenting cases where users have their passwords written down.  God one of our users who handles finances had a file called Passwords.xls out on a freaking network share that was accessable to everyone. 

    • #38476
      WCNA
      Participant

      I’ll second the opinion that passphrases are the way to go AND I would add… use numbers and special characters in your pass phrase as well.

      Also, you have to be aware of password reuse. (Wasn’t it H.D. Moore that got caught in that recently?…. and HB Gary too)

      I suggest to users to use different phrases for different places such as “Ih82comein2work” (I hate to come into work) for the workplace and “BF!onmywayhomeagain” (which stands for the song Blind Faith- On my way home again), obviously for the home computer password

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?