Password Complexity, Good or bad?
-
What about domain admins or certain accounts with ridiculous privileges/data access? What about some with 2 factor, others without.
-
@Breffni-Potter said:
What about domain admins or certain accounts with ridiculous privileges/data access? What about some with 2 factor, others without.
You cannot generalize password policy that way in Windows. So for privileged accounts, you simply hace to have internal policies in place stating that those accounts require XXX. That or you force everyone and get horrible push back from end users.
-
Option A is definitely not secure and if I was auditing this would be a huge red flag. The two biggest enemies of password security are forced complexity and rapid changes. Humans can't remember complex passwords in general and the more often they change the worse it gets. That policy could be read as "make the simplest to guess password possible and increment it by one digit every thirty days and put it on a sticky note too, please."
Option A is very bad.
-
Remember that password complexity is a myth. It's complex to a human but the computer cannot tell. p@55w0rd and password are exactly the same to a computer - they are both easily guessable eight character passwords. But to a human, one is trivial to remember and one gets a bit harder. You want length, not complexity, because length is "complexity to the computer" and not to a human. The goal is not to cripple the humans and force them to use the shortest, easiest to crack passwords possible but to stop a computer from guessing or brute forcing its way in.
So Option A if you goal is to break your users and get them to start writing down passwords.
Option B if you want to secure the computer systems.
Honestly, even 180 days I would not do. Still frequent enough to encourage too easy to guess passwords.
-
@scottalanmiller said:
Option A is definitely not secure and if I was auditing this would be a huge red flag. The two biggest enemies of password security are forced complexity and rapid changes. Humans can't remember complex passwords in general and the more often they change the worse it gets. That policy could be read as "make the simplest to guess password possible and increment it by one digit every thirty days and put it on a sticky note too, please."
Option A is very bad.
This times 1000+
-
@scottalanmiller said:
Honestly, even 180 days I would not do. Still frequent enough to encourage too easy to guess passwords.
And again I agree - yearly at best.
Personally 12+ (I'd really rather it be 16) change once a year or greater.
turn on account lockout after 5-10 bad attempts
auto reset account lockout attempts after 15min - 1 hour
If you can get 2FA - WOW awesome, but really probably not needed.Logs - Logs - Logs watch your logs, setup alerts when someone locks themselves out, so you are aware and can look into why it happened.
I had a rather large go around with management here about a year ago over this. I used to be on the other side of the fence. I still wanted long passwords, but I thought changing every 6 months (or more) was important. In the end that puts to much stress on the users, and stress causes them to do anything in their power to work around your security.
So I change my tune (and opinion) to be one of IT's job to watch the logs for breach attempts instead of having the users change more frequently. -
With Option A I would question the motivations of the company that put this in place. This is such a basic and fundamental anti-security practice that it is tantamount to social engineering and having engineered an intentionally insecure environment.
I'm not saying that the action is necessarily malicious, but it is a degree of incompetence that I would say qualifies as professional negligence if it wasn't malicious. And, of course, putting oneself in a position of consulting on security practices if one is that incompetent would be a form of malice (willing to put others at risk for person gain.) They may not have wanted to put the customer at risk, but were willing to do so rather than admit that they didn't understand security basics. It's a very entry level mistake for an IT person who isn't in a position to make recommendations to make, for someone responsible for these kinds of recommendations it's a pretty big deal.
-
@scottalanmiller This has been a huge problem for me and dealing with PCI and HIPAA throughout the years. PCI-DSS has a "minimum" recommendation of crazy complexity and change every 3 months. PCI-DSS, the anti-security initiative.
-
@scottalanmiller said:
With Option A I would question the motivations of the company that put this in place. This is such a basic and fundamental anti-security practice that it is tantamount to social engineering and having engineered an intentionally insecure environment.
This is a load of crap. Things are specifically designed and setup that way because that is what people have been taught. No company with something like that implemented have done anything wrong as you are implying.
Is what they implemented a good solution? No. But that fault lies with the bad education on what security is.
Every single bad implementation that is out there is not some company trying to maliciously sabotage themselves as you always imply Scott.
-
@travisdh1 said:
@scottalanmiller This has been a huge problem for me and dealing with PCI and HIPAA throughout the years. PCI-DSS has a "minimum" recommendation of crazy complexity and change every 3 months. PCI-DSS, the anti-security initiative.
Yup, no one can tell me that PCI is about being secure. And PCI consultants are even worse. The entire PCI ecosystem is a scam. The idea is great... security matters. But in practice, when someone says PCI it means that their systems are exposed. The biggest exposure that I've been called in to deal with this year (granted it wasn't that bad) was caused by a PCI audit causing firewalls to be disabled and leaving a network wide open. The PCI people didn't open it, they didn't know how networking worked and documented it as closed and people believed them and didn't check and see the insanely obvious "open ports" going on.
Anyone with a Network+ would have known not only what to check but figured out where the PCI people were screwing up and not even doing a real audit, it was all faked.
-
@JaredBusch said:
@scottalanmiller said:
With Option A I would question the motivations of the company that put this in place. This is such a basic and fundamental anti-security practice that it is tantamount to social engineering and having engineered an intentionally insecure environment.
This is a load of crap. Things are specifically designed and setup that way because that is what people have been taught. No company with something like that implemented have done anything wrong as you are implying.
Even people being taught wrong have a responsibility to implement common sense and make sure that what they are being taught and, far more important, repeating and implementing is real. Real security people have been teaching that this is terribly insecure for a very long time.
Just because they were told it doesn't mean that they have no responsibility for being capable of doing the job they are paid to do.
-
@JaredBusch said:
Every single bad implementation that is out there is not some company trying to maliciously sabotage themselves as you always imply Scott.
But most are, which you soundly reject. You forget that malice includes being willing to not do a good job for personal gain. It doesn't mean that they hate the company and want to hurt them, just that protecting them as they are paid to do isn't taken seriously and risk is incurred from doing so.
-
The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.
- Basic IT or computer or mathematical knowledge would mean that teaching something wrong like this would not matter. It's obviously wrong.
- Learning security by rote is fundamentally wrong. If someone is trying to be an advisor and doesn't understand what they are doing, that's not good security. Even if they were taught wrong, it is their responsibility to understand the factors which would make this very obviously not secure.
- Not putting in the necessary care for which you are entrusted is called professional negligence and is a form of malice. It's just for personal gain - to get a paycheck for a job you are not qualified to do. But it is a real thing. When paid as a professional advisor you take on a responsibility - and if you can't do that job, admitting it is part of that. This isn't getting a time frame wrong or not being able to complete a product but putting a business at risk not through something missed but through an intentional action that is harmful (through risk.)
- Not taking care to choose good education and mentorships falls to the actioner as well. This is hard, but just trusting others who are not capable doesn't remove all culpability.
-
The big issue here is that this is security related, not ease of use or something like that. We assume that someone was paid to secure the company and instead of securing it, they actively made it less secure than it would have been by default. It's actually worse than if they had done nothing.
-
@scottalanmiller said:
The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.
It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.
Let alone getting into anyone outside of IT.
-
@JaredBusch said:
It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.
Let alone getting into anyone outside of IT.
Perhaps that is true. But it is setting an insanely low bar for IT. What's the first thing you learn about security? Well, that's never run as the admin. And the second is to never share accounts. But this still very basic stuff. Maybe you can excuse a first time help desker with never thinking about or learning how computers work (maybe, I'd have to consider that) but for a security decision maker?
-
And yes, I realise that sadly the bar for what people consider IT is insanely low. And that's why I only said that we should consider motivations, not take legal action. If this was from a firm advertising its security expertise, I would definitely recommend legal action, at the very least to get all audit costs, mitigation costs and payments returned.
If it turns out that they were just hiring some high school kid to run their IT and provided no training and required no training and were not paying for any expertise, then it is, to some degree, excusable. Not a "ah this happens to everyone" level of excuse, but enough that they should just be required to take some basic computer and security training.
As we don't know who implemented this, we don't know the scope of the issue. But there is every chance that this was an MSP claiming that they knew what they were doing rather than someone's nephew trying to "help out" without proper basic security training.
-
@JaredBusch said:
@scottalanmiller said:
The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.
It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.
Let alone getting into anyone outside of IT.
Very sad that it's true.
Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.
-
@travisdh1 said:
@JaredBusch said:
@scottalanmiller said:
The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.
It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.
Let alone getting into anyone outside of IT.
Very sad that it's true.
Everyone repeat after me. The number one rule of doing encryption is, do no write your own! Most security researchers I know say to trust the math and just use encryption libraries someone else has already written. That's how hard it is to get right.
But I got this thing free in a cereal box!
-
@scottalanmiller said:
@JaredBusch said:
It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.
Let alone getting into anyone outside of IT.
Perhaps that is true. But it is setting an insanely low bar for IT. What's the first thing you learn about security? Well, that's never run as the admin. And the second is to never share accounts. But this still very basic stuff. Maybe you can excuse a first time help desker with never thinking about or learning how computers work (maybe, I'd have to consider that) but for a security decision maker?
Well, are we talking about paid security decision maker or are we talking about typical IT? Granted there should be some basic knowledge - but you speak of first thing you learn? Don't run as admin - LOL I certainly didn't learn that first, or second or even top 100. This wasn't a concept to me until well after Windows 2000 came out.
I suppose if you grew up on the Linux or any Nix side of the house that might have been different - but hell, it's pretty easy to run as root if you just want to in a lot of cases.
I started in DOS, upgrade to Win3.x - Win9x, jumped over to Win NT 3.5, 3.51 and 4.0 (learned about admin and general security) but still - running as non admin wasn't done by me or anyone around me. When the company I worked for at the time deployed Windows 2000, that was the first real time it was a thing - not running as an admin.
So to that end - the idea that a smaller complex password is not as secure as a longer though visually more simple password is easy to see why many (including IT people) wouldn't innately pick this up. Toss in the fact that how you show that a longer though visually more simple password offers better protection involves math - Most people hate dealing with math, again IT people are no exception. Tons of IT people can't figure out Subnets, don't understand the use of Binary to find same networks, etc... so when you're talking about complexity and you bring math to explain why longer is better - their eyes just glaze over.
