Re: "Proactive" Password Checking

[Rick Smith <rick_smith () securecomputing com>]

At 06:19 AM 11/3/99 -0800, Jim Raykowski wrote:

> Just got a strange request from the boss about password checking.
> ... He said that he read an article about a piece of software, that
> runs on NT, that automatically checks passwords every so often or
> however often you schedule it. 

Checks passwords for what? Vulnerability to dictionary attacks (i.e. use of
memorable words instead of textual gibberish)?

In my experience, if you force people to use complicated, hard to remember
passwords, and you force them to change them often, then a nonzero
percentage will start writing their passwords down. Given that, you should
modify user security policies and procedures to identify relatively safe
ways of writing the passwords down.

So you have to decide whether the bigger risk is an attack by someone with
a password cracker or theft of a piece of paper with someone's password.

If you really, really want to have hard to crack passwords and you want to
avoid having them in writing, then leave passwords in place for a year or
more at a time. That gives people a chance to memorize them. Once
memorized, the pieces of paper will start to disappear, reducing the risk
of one being found.


Rick.
smith () securecomputing com
"Internet Cryptography" at http://www.visi.com/crypto/