[148100] in North American Network Operators' Group
Re: AD and enforced password policies
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Tue Jan 3 08:41:45 2012
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com>
Date: Tue, 3 Jan 2012 08:40:47 -0500
To: Greg Ihnen <os10rules@gmail.com>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote:
>=20
> On Jan 3, 2012, at 4:14 AM, M=E5ns Nilsson wrote:
>=20
>> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, =
2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake@pfankuch.me):
>>=20
>>> However I would say 365 day expiration is a little long, 3 months is =
about the average in a non financial oriented network. =20
>>=20
>> If you force me to change a password every three months, I'm going
>> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net =
result,
>> you lose.
>>=20
>> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 =
etc,
>> and we're all doomed, or they will be lucky and guess. None of these
>> attack modes will be mitigated by the 3-month scheme; success/fail as
>> seen by the bad guys will be a lot quicker than three months. If they
>> do not get lucky with john or rainbow tables, they'll move on.
>>=20
>> (Some scenarios still are affected by this, of course, but there is a
>> lot to be done to stop bad things from happening like not getting =
your
>> hashes stolen etc. On-line repeated login failures aren't going to =
work
>> because you'll detect that, right? )
>>=20
>> Either way, expiring often is the first and most effective step at =
making
>> the lusers hate you and will only bring the Post-It(tm) makers happy.
>>=20
>> If your password crypto is NSA KW-26 or similar, OTOH, just
>> don the Navy blues and start swapping punchcards at 0000 ZULU.
>> (http://en.wikipedia.org/wiki/File:Kw-26.jpg)
>>=20
>> --=20
>> M=E5ns Nilsson primary/secondary/besserwisser/machina
>> MN-1334-RIPE +46 705 989668
>> Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!!
>=20
>=20
> A side issue is the people who use the same password at =
fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens =
doesn't need high security for their password management and storage. =
After all, what's worth stealing at fuzzykittens? All those passwords. =
I use and recommend and use a popular password manager, so I can have =
unique strong passwords without making a religion out of it.
>=20
It's not a side issue; in my opinion it's a far more important issue in
most situations. I do the same thing that you do for all but my most
critical passwords.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
