[148098] in North American Network Operators' Group
Re: AD and enforced password policies
daemon@ATHENA.MIT.EDU (Todd Underwood)
Tue Jan 3 08:23:25 2012
In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com>
From: Todd Underwood <toddunder@gmail.com>
Date: Tue, 3 Jan 2012 08:22:09 -0500
To: Greg Ihnen <os10rules@gmail.com>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
http://www.diceware.com/
works well. has plausible analysis of the entropy of the passphrases
created. it's 100% prescriptive and deterministic so can be used for
large, unevenly skilled userbases. the passphrases are easy to
remember and type for english speakers (and there are alternative
dictionaries).
and it wouldn't pass any of these silly requirements.
what people really need to be doing is deploying:
http://en.wikipedia.org/wiki/HOTP
there are free apps for android and iphone to generate sequences as a
2nd factor.
t
On Tue, Jan 3, 2012 at 8:09 AM, Greg Ihnen <os10rules@gmail.com> wrote:
>
> On Jan 3, 2012, at 4:14 AM, M=C3=A5ns Nilsson wrote:
>
>> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 a=
t 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake@pfankuch.me):
>>
>>> However I would say 365 day expiration is a little long, 3 months is ab=
out the average in a non financial oriented network.
>>
>> If you force me to change a password every three months, I'm going
>> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result,
>> you lose.
>>
>> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc,
>> and we're all doomed, or they will be lucky and guess. None of these
>> attack modes will be mitigated by the 3-month scheme; success/fail as
>> seen by the bad guys will be a lot quicker than three months. If they
>> do not get lucky with john or rainbow tables, they'll move on.
>>
>> (Some scenarios still are affected by this, of course, but there is a
>> lot to be done to stop bad things from happening like not getting your
>> hashes stolen etc. On-line repeated login failures aren't going to work
>> because you'll detect that, right? )
>>
>> Either way, expiring often is the first and most effective step at makin=
g
>> the lusers hate you and will only bring the Post-It(tm) makers happy.
>>
>> If your password crypto is NSA KW-26 or similar, OTOH, just
>> don the Navy blues and start swapping punchcards at 0000 ZULU.
>> =C2=A0 =C2=A0 =C2=A0 (http://en.wikipedia.org/wiki/File:Kw-26.jpg)
>>
>> --
>> M=C3=A5ns Nilsson =C2=A0 =C2=A0 primary/secondary/besserwisser/machina
>> MN-1334-RIPE =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 +46 705 989668
>> Life is a POPULARITY CONTEST! =C2=A0I'm REFRESHINGLY CANDID!!
>
>
> A side issue is the people who use the same password at fuzzykittens.com =
as they do at bankofamerica.com. Of course fuzzykittens doesn't need high s=
ecurity for their password management and storage. After all, what's worth =
stealing at fuzzykittens? All those passwords. =C2=A0I use and recommend an=
d use a popular password manager, so I can have unique strong passwords wit=
hout making a religion out of it.
>
> Greg
