[148209] in North American Network Operators' Group
RE: AD and enforced password policies
daemon@ATHENA.MIT.EDU (Jones, Barry)
Thu Jan 5 14:03:03 2012
From: "Jones, Barry" <BEJones@semprautilities.com>
To: "'Steven Bellovin'" <smb@cs.columbia.edu>, Greg Ihnen <os10rules@gmail.com>
Date: Thu, 5 Jan 2012 11:01:55 -0800
In-Reply-To: <2AC71587-2896-45FC-B77C-8C789B3C28F7@cs.columbia.edu>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
'Either way, expiring often is the first and most effective step at making =
the lusers hate you and will only bring the Post-It(tm) makers happy.'
If you want to make them really, really unhappy, implement a rotating user =
ID coupled with an often expiring password policy. For example, User ID jjo=
nes1, jjones2, jjones3, jjones4 (for winter, summer, fall, spring). Works w=
ith clothing choices, but angers user communities... :-)
=20
-----Original Message-----
From: Steven Bellovin [mailto:smb@cs.columbia.edu]=20
Sent: Tuesday, January 03, 2012 5:41 AM
To: Greg Ihnen
Cc: Nanog@nanog.org
Subject: Re: AD and enforced password policies
On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote:
>=20
> On Jan 3, 2012, at 4:14 AM, M=E5ns Nilsson wrote:
>=20
>> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 a=
t 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake@pfankuch.me):
>>=20
>>> However I would say 365 day expiration is a little long, 3 months is ab=
out the average in a non financial oriented network. =20
>>=20
>> If you force me to change a password every three months, I'm going to=20
>> start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result,=20
>> you lose.
>>=20
>> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5=20
>> etc, and we're all doomed, or they will be lucky and guess. None of=20
>> these attack modes will be mitigated by the 3-month scheme;=20
>> success/fail as seen by the bad guys will be a lot quicker than three=20
>> months. If they do not get lucky with john or rainbow tables, they'll mo=
ve on.
>>=20
>> (Some scenarios still are affected by this, of course, but there is a=20
>> lot to be done to stop bad things from happening like not getting=20
>> your hashes stolen etc. On-line repeated login failures aren't going=20
>> to work because you'll detect that, right? )
>>=20
>> Either way, expiring often is the first and most effective step at=20
>> making the lusers hate you and will only bring the Post-It(tm) makers ha=
ppy.
>>=20
>> If your password crypto is NSA KW-26 or similar, OTOH, just don the=20
>> Navy blues and start swapping punchcards at 0000 ZULU.
>> (http://en.wikipedia.org/wiki/File:Kw-26.jpg)
>>=20
>> --=20
>> M=E5ns Nilsson primary/secondary/besserwisser/machina
>> MN-1334-RIPE +46 705 989668
>> Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!!
>=20
>=20
> A side issue is the people who use the same password at fuzzykittens.com =
as they do at bankofamerica.com. Of course fuzzykittens doesn't need high s=
ecurity for their password management and storage. After all, what's worth =
stealing at fuzzykittens? All those passwords. I use and recommend and use=
a popular password manager, so I can have unique strong passwords without =
making a religion out of it.
>=20
It's not a side issue; in my opinion it's a far more important issue in mos=
t situations. I do the same thing that you do for all but my most critical=
passwords.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
