funsec mailing list archives
Windows 7 (Pro) password aging security policy
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>
Date: Fri, 2 Sep 2011 10:47:33 -0800
Today when I signed on I got a bit of a shock. The computer warned me that my password was going to expire in 5 days, and I shouuld probably consider changing it. It was a shock because this is *my* computer, and I go along with current password aging thinking, which is that a) we can't figure out who first figured that password aging was all that hot an idea, and b) if it ever *was* a good idea, in the modern computing environment, password aging is a non-starter. Given that passwords should probably exceed 20 characters, and likely should be somewhat complex, trying to get people to choose a good one more than once every few years (when rainbow tables have been extended) is likely more security compromising than enhancing. So, I went looking. Having dealt with security for a number of years, it wasn't too hard for me to figure out that I *didn't* want the control panel (since I hadn't seen anything along that line while I was modifying other settings), and that I likely wanted "Administrative Tools," and under that "Local Security Policy." I had to read through all the options to determine that I probably wanted "Account Policies," but, under that, it was obvious I wanted "Password Policy," and, once there, "Maximum password age" stood out. With no particular options or actions I went back to the menu bar until I found that "Action" had a "Properties" function, bringing up a dialogue box with an entry box with a number in it. I figured that setting it to zero might turn off password aging, but I didn't want to do anything that might require me to set a new password every time I signed on, so, when I saw that one of the tabs was "Explain," I choose that. (Allow me to digress for just a second here, and note that I suspect that the average home or small office user would not have found it easy to find this setting, and thus would have been stuck with the default. And all that that implies.) The explanation did confirm that setting the number of days to zero does mean the passwords never expire. But it also told me that "It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources." Microsoft, you've got to be kidding. If an attacker has enough access to your system in order to start cracking your passwords, then they'll almost certainly succeed within a few days. Unless you've chosen a really, really good password, in which case it might be some years. So 30 to 90 days makes very little sense. (And, if you're really serious about the maximum of 90 days, how come the entry box allows up to 999?) But then, right down at the bottom, it tells me that "Default: 42." Oh, sorry, Microsoft. Obviously you *are* kidding. *Nobody* could take that seriously as a default. (But then, why *is* that the default, and why is it enabled by default? ...) ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org If I were two-faced, would I be wearing this one? - Abraham Lincoln victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Windows 7 (Pro) password aging security policy Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 05)
- Re: Windows 7 (Pro) password aging security policy Nick FitzGerald (Sep 05)
- Re: Windows 7 (Pro) password aging security policy Nick FitzGerald (Sep 05)
- Re: Windows 7 (Pro) password aging security policy RL Vaughn (Sep 05)
- Re: Windows 7 (Pro) password aging security policy Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 05)
- Re: Windows 7 (Pro) password aging security policy Nick FitzGerald (Sep 05)