[unisog] Password policies

Micheal Cottingham micheal.cottingham at sv.vccs.edu
Thu Apr 20 17:32:03 GMT 2006


I might as well reply ... hehe. Here we have requirements for at least 8
characters (at least one capital, special, and number) and users have to
change their passwords every 45 days. We at one point attempted to set
the history, but users were not happy about that at all so we had to
turn it off. We also set it so they have to type in their username each
time. Don't want to make it too easy for the attacker.

With regards to Schneier's comments about writing down passwords, I have
to disagree. While I agree some of his arguments are convincing, the
problem I've seen is that it doesn't take much for someone to put the
paper in an obvious place, like on a sticky on their monitor. It takes
only a cursory glance and you've been owned. It takes me about 30
seconds to find someone's password if they've written it down. Under
their keyboard, on their monitor, in their top drawer of their desk, on
their keyboard, in their un-password protected Palm Pilot sitting in the
open on their desk. In that time, someone could grab the password and be
in and out before someone notices.

As for password lockouts, we had the nasty problem some time ago with
null sessions and attackers hitting us night and day. It didn't DoS the
servers, but rather the staff here. Eventually we wised up and got a
freebie that'd unlock all of the accounts in one go. Kinda defeats the
purpose of having lockouts, doesn't it?

Passwords are only half the puzzle. If you can figure out the username,
you are half-way there. Keyboard loggers, rainbow tables, etc. will of
course get you a username/you'll already have a username, but if you are
sitting there from the outside bruteforcing the passwords, you are
probably bruteforcing the usernames too. After all, usernames aren't as
simple as <firstname>, are they?

Micheal



More information about the unisog mailing list