.

Best Practices for Password Policy

<<

awhitehatter

User avatar

Newbie
Newbie

Posts: 19

Joined: Wed Sep 01, 2010 1:42 pm

Post Mon Feb 28, 2011 6:34 pm

Best Practices for Password Policy

Hi All,

Wasn't sure if this belonged in the regulatory and compliance section as it is more geared to best practices.

I'm looking for information to support our current password policy. Specifically best practices on local administrator accounts, service accounts, etc. Practical stuff on expiration dates, the sharing of, archiving old expired passwords or anything along those lines.

Does anyone have suggestions or links they can recommend? I can provide more info if you need it.

thanks for reading,
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Feb 28, 2011 7:45 pm

Re: Best Practices for Password Policy

Do you fall under any compliance or government regulations?
<<

Lubinski

Newbie
Newbie

Posts: 26

Joined: Fri Dec 03, 2010 1:34 pm

Post Mon Feb 28, 2011 7:54 pm

Re: Best Practices for Password Policy

Here is a Sans link to their policies page, some good stuff in there regarding policies.
http://www.sans.org/security-resources/policies/

Regarding best practices here is a link to the NIST National Checklist Program which has some "checklist" style guides on recommended configuration of different OS's.
http://web.nvd.nist.gov/view/ncp/repository

Password policies are great examples of security vs. usability. Just remember a strong password policy might result in increased help desk calls, and general frustration of the administrator(s). The best password policy is one that you stick to and not make "exceptions" for the boss's son.
<<

awhitehatter

User avatar

Newbie
Newbie

Posts: 19

Joined: Wed Sep 01, 2010 1:42 pm

Post Mon Feb 28, 2011 10:46 pm

Re: Best Practices for Password Policy

cd1zz wrote:Do you fall under any compliance or government regulations?


CDIZ, we have remote sites that do fall under HIPAA, some state cyber security laws and sometimes NIST SP 800-53. We don't have a security framework for our overall company at the time being (it's one of our goals).


Lubinski wrote:Here is a Sans link to their policies page, some good stuff in there regarding policies.
http://www.sans.org/security-resources/policies/

Regarding best practices here is a link to the NIST National Checklist Program which has some "checklist" style guides on recommended configuration of different OS's.
http://web.nvd.nist.gov/view/ncp/repository

Password policies are great examples of security vs. usability. Just remember a strong password policy might result in increased help desk calls, and general frustration of the administrator(s). The best password policy is one that you stick to and not make "exceptions" for the boss's son.


Thanks for the links Lubinski, I'll check them out.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Mar 01, 2011 9:33 pm

Re: Best Practices for Password Policy

Microsoft did a great study on passwords, rotation, and complexity.
http://research.microsoft.com/apps/pubs/?id=74164

In short, the more often a password was rotated, the less complexity users employed. My push has been to require much more complex passwords passphrases and rotate them yearly (not every 90 days).

As for service accounts and other non-user accounts. Always keep them at least 15 characters. That way it prevents the cryptographic weakness in Windows Lan Manager from even being an issue.
twitter.com/timmedin | http://blog.securitywhole.com
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Mar 01, 2011 10:30 pm

Re: Best Practices for Password Policy

timmedin is right on. Passphrases are the way to go, especially if you can avoid dictionary words. However you dont want passwords so complex that people are leaving sticky notes all over the place. But this is where some education or help to your users will come in nicely.
<<

jsm725

User avatar

Newbie
Newbie

Posts: 36

Joined: Mon Mar 22, 2010 5:13 pm

Post Wed Mar 02, 2011 5:24 pm

Re: Best Practices for Password Policy

I am a big fan of passphrases. Easy to remember and don't need to be changed as often. I like to pitch it to clients as a cost savings for their help desk with the decrease in passwords resets needed.

My only caution would be that changing once a year might leave you susceptible to other forms of attack that frequently changing your passwords help defend against (i.e. social engineering).

Depending on the regulatory environment, some of this stuff may be decided for you though.
CISSP, PCI-QSA, OSWP
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sat May 07, 2011 3:47 pm

Re: Best Practices for Password Policy

I'm another fan of the passphrase.  Definitely the way to go.  As for the local admin and service accounts, since you won't be changing those as often as the user accounts, use very long passphrases, sentences from books or even history facts tent to work best.  But make them long.  I am currently in the process of having my organization move out of the password arena and into passphrases, sadly I have an ISO that is not very bright and doesn't get some of these concepts.  Yes I don't know how he got the job either.  Anyway good luck and if you have some stubborn users, make sure to reiterate the ease of remembering them.  Hell for the ones that like to "secure" them under their keyboard, you can even mention that they can keep the phrase on a sticky note on their monitor and no one might think anything of it "Meeting on Friday!" 
Certs: GCWN
(@)Dewser
<<

R3B005t

Newbie
Newbie

Posts: 43

Joined: Wed Mar 09, 2011 9:03 am

Location: NVA/D.C.

Post Mon May 09, 2011 8:14 am

Re: Best Practices for Password Policy

Ahh the age old problem that every IT department faces, passwords.  The complexity requirements at my current place of employment are I'm sure the bane of the helpdesk.  I'd love to go to passphrase's however I'm sure we wouldn't be able to due to the strict gov regs that companies in my industry face.  We are actually looking at beefing up secuirty even further by utilizing CAC card's in addition to our normal password complexity requirments.  One thing I'm currently working on is getting the ISO to make all the Domain Admins use two seperate accounts.  One with User level rights for day to day stuff and the other a unique domain admin accout to use for any work that requires elevated permissions.  I myself have been working this way for about 6 mo. at first it was difficult but you quickly adapt to creating short cuts with runas in the target path.  I've taken to documenting cases where users have their passwords written down.  God one of our users who handles finances had a file called Passwords.xls out on a freaking network share that was accessable to everyone. 
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Mon May 09, 2011 10:00 am

Re: Best Practices for Password Policy

I'll second the opinion that passphrases are the way to go AND I would add... use numbers and special characters in your pass phrase as well.

Also, you have to be aware of password reuse. (Wasn't it H.D. Moore that got caught in that recently?.... and HB Gary too)

I suggest to users to use different phrases for different places such as "Ih82comein2work" (I hate to come into work) for the workplace and "BF!onmywayhomeagain" (which stands for the song Blind Faith- On my way home again), obviously for the home computer password
ISC2 Associate, WCNA, CWNA, OSCP, Network+

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software