[148097] in North American Network Operators' Group
Re: AD and enforced password policies
daemon@ATHENA.MIT.EDU (Greg Ihnen)
Tue Jan 3 08:10:29 2012
From: Greg Ihnen <os10rules@gmail.com>
In-Reply-To: <20120103084411.GN7491@besserwisser.org>
Date: Tue, 3 Jan 2012 08:39:19 -0430
To: =?iso-8859-1?Q?M=E5ns_Nilsson?= <mansaxel@besserwisser.org>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 3, 2012, at 4:14 AM, M=E5ns Nilsson wrote:
> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 =
at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake@pfankuch.me):
>=20
>> However I would say 365 day expiration is a little long, 3 months is =
about the average in a non financial oriented network. =20
>=20
> If you force me to change a password every three months, I'm going
> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result,
> you lose.
>=20
> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 =
etc,
> and we're all doomed, or they will be lucky and guess. None of these
> attack modes will be mitigated by the 3-month scheme; success/fail as
> seen by the bad guys will be a lot quicker than three months. If they
> do not get lucky with john or rainbow tables, they'll move on.
>=20
> (Some scenarios still are affected by this, of course, but there is a
> lot to be done to stop bad things from happening like not getting your
> hashes stolen etc. On-line repeated login failures aren't going to =
work
> because you'll detect that, right? )
>=20
> Either way, expiring often is the first and most effective step at =
making
> the lusers hate you and will only bring the Post-It(tm) makers happy.
>=20
> If your password crypto is NSA KW-26 or similar, OTOH, just
> don the Navy blues and start swapping punchcards at 0000 ZULU.
> (http://en.wikipedia.org/wiki/File:Kw-26.jpg)
>=20
> --=20
> M=E5ns Nilsson primary/secondary/besserwisser/machina
> MN-1334-RIPE +46 705 989668
> Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!!
A side issue is the people who use the same password at fuzzykittens.com =
as they do at bankofamerica.com. Of course fuzzykittens doesn't need =
high security for their password management and storage. After all, =
what's worth stealing at fuzzykittens? All those passwords. I use and =
recommend and use a popular password manager, so I can have unique =
strong passwords without making a religion out of it.
Greg=
