Windows 7 (Pro) password aging security policy

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>]

Today when I signed on I got a bit of a shock.  The computer warned me that my 
password was going to expire in 5 days, and I shouuld probably consider changing it.

It was a shock because this is *my* computer, and I go along with current 
password aging thinking, which is that a) we can't figure out who first figured that 
password aging was all that hot an idea, and b) if it ever *was* a good idea, in the 
modern computing environment, password aging is a non-starter.  Given that 
passwords should probably exceed 20 characters, and likely should be somewhat 
complex, trying to get people to choose a good one more than once every few 
years (when rainbow tables have been extended) is likely more security 
compromising than enhancing.

So, I went looking.  Having dealt with security for a number of years, it wasn't too 
hard for me to figure out that I *didn't* want the control panel (since I hadn't 
seen anything along that line while I was modifying other settings), and that I 
likely wanted "Administrative Tools," and under that "Local Security Policy."  I 
had to read through all the options to determine that I probably wanted "Account 
Policies," but, under that, it was obvious I wanted "Password Policy," and, once 
there, "Maximum password age" stood out.  With no particular options or actions 
I went back to the menu bar until I found that "Action" had a "Properties" 
function, bringing up a dialogue box with an entry box with a number in it.  I 
figured that setting it to zero might turn off password aging, but I didn't want to do 
anything that might require me to set a new password every time I signed on, so, 
when I saw that one of the tabs was "Explain," I choose that.

(Allow me to digress for just a second here, and note that I suspect that the 
average home or small office user would not have found it easy to find this setting, 
and thus would have been stuck with the default.  And all that that implies.)

The explanation did confirm that setting the number of days to zero does mean 
the passwords never expire.  But it also told me that "It is a security best practice 
to have passwords expire every 30 to 90 days, depending on your environment. 
This way, an attacker has a limited amount of time in which to crack a user's 
password and have access to your network resources."

Microsoft, you've got to be kidding.  If an attacker has enough access to your 
system in order to start cracking your passwords, then they'll almost certainly 
succeed within a few days.  Unless you've chosen a really, really good password, in 
which case it might be some years.  So 30 to 90 days makes very little sense.  
(And, if you're really serious about the maximum of 90 days, how come the entry 
box allows up to 999?)

But then, right down at the bottom, it tells me that "Default: 42."

Oh, sorry, Microsoft.  Obviously you *are* kidding.  *Nobody* could take that 
seriously as a default.

(But then, why *is* that the default, and why is it enabled by default? ...)

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
If I were two-faced, would I be wearing this one?  - Abraham Lincoln
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.