nanog mailing list archives

Re: AD and enforced password policies

From: Greg Ihnen <os10rules () gmail com>
Date: Tue, 3 Jan 2012 08:39:19 -0430


On Jan 3, 2012, at 4:14 AM, Måns Nilsson wrote:

Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch 
(blake () pfankuch me):

However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented 
network.


If you force me to change a password every three months, I'm going
to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result,
you lose.

Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc,
and we're all doomed, or they will be lucky and guess. None of these
attack modes will be mitigated by the 3-month scheme; success/fail as
seen by the bad guys will be a lot quicker than three months. If they
do not get lucky with john or rainbow tables, they'll move on.

(Some scenarios still are affected by this, of course, but there is a
lot to be done to stop bad things from happening like not getting your
hashes stolen etc. On-line repeated login failures aren't going to work
because you'll detect that, right? )

Either way, expiring often is the first and most effective step at making
the lusers hate you and will only bring the Post-It(tm) makers happy.

If your password crypto is NSA KW-26 or similar, OTOH, just
don the Navy blues and start swapping punchcards at 0000 ZULU.
      (http://en.wikipedia.org/wiki/File:Kw-26.jpg)

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
Life is a POPULARITY CONTEST!  I'm REFRESHINGLY CANDID!!



A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course 
fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at 
fuzzykittens? All those passwords.  I use and recommend and use a popular password manager, so I can have unique strong 
passwords without making a religion out of it.

Greg

Current thread:

AD and enforced password policies Jones, Barry (Jan 02)
- Re: AD and enforced password policies Robert Luethje (Jan 02)
- Re: AD and enforced password policies Jimmy Hess (Jan 02)
  - RE: AD and enforced password policies Blake T. Pfankuch (Jan 02)
    - Re: AD and enforced password policies Måns Nilsson (Jan 03)
    - Re: AD and enforced password policies Greg Ihnen (Jan 03)
    - Re: AD and enforced password policies Todd Underwood (Jan 03)
    - Re: AD and enforced password policies Michael Thomas (Jan 03)
    - Re: AD and enforced password policies Måns Nilsson (Jan 03)
    - Re: AD and enforced password policies Tim Franklin (Jan 03)
    - Re: AD and enforced password policies Måns Nilsson (Jan 04)
    - Re: AD and enforced password policies Randy Bush (Jan 03)
    - Re: AD and enforced password policies Todd Underwood (Jan 03)
    - Re: AD and enforced password policies Steven Bellovin (Jan 03)
    - RE: AD and enforced password policies Jones, Barry (Jan 05)
    - Re: AD and enforced password policies Gary Buhrmaster (Jan 03)

(Thread continues...)