[148095] in North American Network Operators' Group
Re: AD and enforced password policies
daemon@ATHENA.MIT.EDU (=?utf-8?B?TcOlbnM=?= Nilsson)
Tue Jan 3 03:45:08 2012
Date: Tue, 3 Jan 2012 09:44:11 +0100
From: =?utf-8?B?TcOlbnM=?= Nilsson <mansaxel@besserwisser.org>
To: "Blake T. Pfankuch" <blake@pfankuch.me>
In-Reply-To: <CC75EEBF17C7374EA8309102B7B10C848601B7D0@SHSBS.shenrons-house.local>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Ll0BBk1HBk/f94B0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 1=
1:15:08PM +0000 Quoting Blake T. Pfankuch (blake@pfankuch.me):
> However I would say 365 day expiration is a little long, 3 months is abou=
t the average in a non financial oriented network. =20
If you force me to change a password every three months, I'm going
to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result,
you lose.
Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc,
and we're all doomed, or they will be lucky and guess. None of these
attack modes will be mitigated by the 3-month scheme; success/fail as
seen by the bad guys will be a lot quicker than three months. If they
do not get lucky with john or rainbow tables, they'll move on.
(Some scenarios still are affected by this, of course, but there is a
lot to be done to stop bad things from happening like not getting your
hashes stolen etc. On-line repeated login failures aren't going to work
because you'll detect that, right? )
Either way, expiring often is the first and most effective step at making
the lusers hate you and will only bring the Post-It(tm) makers happy.
If your password crypto is NSA KW-26 or similar, OTOH, just
don the Navy blues and start swapping punchcards at 0000 ZULU.
(http://en.wikipedia.org/wiki/File:Kw-26.jpg)
--=20
M=C3=A5ns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!!
--Ll0BBk1HBk/f94B0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk8Cv9sACgkQ02/pMZDM1cWBoACfYHwRTQS0ASyLamU6ZK8txfw4
KMcAoI64LqTUB73n55Q9dj1HfTbmJE7J
=0kNH
-----END PGP SIGNATURE-----
--Ll0BBk1HBk/f94B0--
