6. Password Expiration/Change Policy 2021

Password Expiration/Change Policy 2021

  • H

    More on the interesting topic of Passwords here (please copy link to your browser) … hmmm - I do have a weakness for chocolate 😉 :)%0A http-and-#58;//sunbeltblog.blogspot.com/2008/04/people-still-give-passwords-for.html %0A A survey by Infosecurity Europe of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.%0A This year’s survey results were significantly better than previous years . In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. %0A Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)

    0
  • S

    I’ve read this thread and saw very good input. I haven’t seen anyone mentioned anything about account lockout to prevent brute force. Any thoughts or comments on this?
    For Active Directory, I am curious to know what is the best practice for the duration of lock out. Plus, I would think you would also want to implement a complementary or secondary control to ensure the violator won’t wait after X time and then try again…?
    I look forward to hearing all of your feedback. Thanks in advance.

    0
  • H

    Hi - The following 5/5/5 approach is what I might suggest as a minimum criteria:
    Account lockout duration = 5 minutes
    Account lockout threshold = 5 invalid logon attempts
    Reset account lockout counter after = 5 minutes
    While 30 minutes might improve security, the 5 minute approach will defeat the machine based challenges.
    I like lowering the # of invalid login password guesses from 10 to 5, as that provides a higher level of security. Most folks either know their password or not. After 5 or 6 tries, they need to call the help desk anyway and get reset using the proper procedures.
    The 5 minute duration also gives them a quicker chance to retry in case like a light bulb something clicks and they remember what their password should be :idea:
    Please copy these external links to your browser
    http-and-#58;//www.google.com/search?hl=en-and-q=brute force password lockout controls
    http-and-#58;//www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html
    From the Windows Security link above
    Low Security
    Account lockout duration = Not Defined
    Account lockout threshold = 0 (no lockout)
    Reset account lockout counter after = Not Defined
    Medium Security
    Account lockout duration = 30 minutes
    Account lockout threshold = 10 invalid logon attempts
    Reset account lockout counter after = 30 minutes
    High Security
    Account lockout duration = 0 (an administrator must unlock the account)
    Account lockout threshold = 10 invalid logon attempts
    Reset account lockout counter after = 30 minutes
    SUGGESTION: As one idea to consider, I would advise looking at 2-factor solutions over passwords for much improved security. We went the SecureID approach for VPN access (you must have the token where passwords change every minute, plus your PIN# to get in). It’s costly, tough to setup, and you have to deal with ‘I lost my security token’ issues. Still, it’s far more secure than passwords alone and the only thing users can forget is their PIN# (so you don’t have as many help desk calls).

    0
Log in to reply