On Tim Mintner's blog he talks about a novel way of getting folks to choose better passwords in light of the headline about “Writing down your Passwords“
That's right, you heard him, you set up a contest to make sure your employees choose good passwords. One slight problem I see with Tim's solution though, is that it appears that the password cracking program/contest is only done at the 'end' of the 90 days. So say I have a really stupid, sucky password that could be cracked in mere seconds, it's not going to get tested for 89 days, 23 hours and 59 minutes.
The idea behind expiring passwords is that you should make them strong enough that if you had someone attempting to brute force your passwords, that they'd withstand these attempts for 89 days, 23 hours and 59 minutes before they'd fall to the brute force programs. We don't just pick 90 days or even 60 days to change passwords because us network admins sit back here and chuckle on how often we force you guys to re-memorize passwords, choose new ones, make sure you don't reuse the old one, etc. etc. to make your life miserable. It's supposed to be the time it would take a brute force cracking program would take to guess your password given a reasonable CPU processing power. As long as that password stands up 89 days, 23 hours and 59 minutes, then we can set the policy for a 90 day expiration. See the reason behind this?
Also keep in mind that many of these cracking programs have their jobs merely made a lot easier because either one of two things occurs....
- You have older OS's like Win 9x that you have to make sure can still authenticate...or
- You don't realize that once you've beaten to a pulp your last Windows 98 [sorry to make it so graphical but as you can tell ... I really have personal issues with 9x boxes that are still alive], you can easily wack off the LAN Manager setting in group policy, and the next time the passwords are changed, the hashes won't be left behind. On my SBS 2000 system [where I did have hashes turned on] I ran @Stake's LC5 program and it was frightenly amazing how fast that software was able to match up the hash with the password.
I'll be the first to admit that while I DO write passwords down... I DO NOT use enough of them in the various places that I use passwords in and I use way too many variations of the same theme. Then there are some sites that I just don't go into enough to memorize them after a time and if I don't write it down, I'll be resetting it. Well hopefully I'll be resetting it... there are some websites that merely EMAIL you your password if you forget it. Oh, that's nice isn't it? Clear text...emailing me my password?
I did a presentation with a fellow Geeky CPA the other week to several groups of high school students on the topic of Financial Literacy, aka credit card use, budgeting, etc, and one of the last points I made to the class before the class period was over, was that I warned them, urged them, that as they go through life, knowing that they would probably set up many online accounts and passwords, was to choose them wisely. I tried to trick them into giving me their ATM Pin number but none of them would fall for the bait [good for them!]. Think about it. At any time have any of us truly gotten a class in passwords? Training? Anything other than maybe the written password policy part of the Computer security section of the Employee Acceptable Use policy. And when's the last time a geek or near geek truly READ a document? Yet look how important they are! [And yes, 18 year olds did indeed have ATM cards and PIN numbers]
Want to know lots more about Passwords, all sorts of cool stuff about the 'onion layers' or defense in depth? Any day now the Dr. Jesper Johansson and Steve Riley book, Protect your Windows Network: From Perimeter to Data will be out and will have tons more information. And oooh cool, it's even going to have tools:
- A password generator. Passgen is an enterprise-class, command- line password manager. We discuss it more in Chapter 11, "Passwords and Other Authentication Mechanisms—The Last Line of Defense," and Chapter 8, "Security Dependencies." Also look at the readme for more information.
I think passwords are one of the biggest business security issues because it's the one item that so intertwined with the end user. It's part of that hard 'end user upgrade' that we admins have to deal with.
At my friends' house the other day, the wife got a Microsoft biometric keyboard and when I proceeded to indicate that the keyboard could be bypassed with gummy bears... well let me put it this way...after the gleam in the eye of the 10 year old in the house I had to promise him his own keyboard and a promise to Mom that he woudn't try it on hers and get it all sticky.
Passwords. So valuable if they are secret, so worthless once they are known.