Password Complexity, Good or bad?
-
https://community.spiceworks.com/topic/1519073-password-complexity-good-or-bad?
There are lots of different thoughts/opinions about this, I just want to get some feedback on what people think of the below possible options.
This is for Active Directory, specifically Windows logons.
Option A)
Password complexity enforced
Change every 30 days
3 out of 4 character types must be used
Minimum length of 7 charecters
Password history tracked, cannot repeat same password
Two factor authentication (MAYBE)
Group Policies would ensure there is a minimum standard of complexity but generally, if the passwords are harder to remember i.e$0mpanyna%e
Option B)
Password complexity not enforced
Minimum length of 12 or 16 characters, encourage pass-phrases rather than passwords.
Change every 180 days.
Cannot repeat same password
Two factor authentication (MAYBE)
A pass-phrase would be much easier to remember, they can keep it unique and it encourages security rather than arbitrary requirements that make it harder for humans, easier for computers.HorseBatteryStaple
I wish I could put a poll in here, the general question is with the pros & cons of the above, which is a better system for a company who wants better real world security.
-
If you're using 2FA, you could have a rather basic password reset policy, every 30 days non-reused password.
The other items are a moot point, sure they add to the complexity of the password, but it's still password memory that would have to be used.
I'd simplify it a bit 8-12 characters, mixed case, special characters, changed every 30-60 days, with 2FA.
-
12+ Characters, complexity not needed. 180+ day password cycle.
2FA is always nice, but I would never expect to get it going in a standard office environment.
-
What about domain admins or certain accounts with ridiculous privileges/data access? What about some with 2 factor, others without.
-
@Breffni-Potter said:
What about domain admins or certain accounts with ridiculous privileges/data access? What about some with 2 factor, others without.
You cannot generalize password policy that way in Windows. So for privileged accounts, you simply hace to have internal policies in place stating that those accounts require XXX. That or you force everyone and get horrible push back from end users.
-
Option A is definitely not secure and if I was auditing this would be a huge red flag. The two biggest enemies of password security are forced complexity and rapid changes. Humans can't remember complex passwords in general and the more often they change the worse it gets. That policy could be read as "make the simplest to guess password possible and increment it by one digit every thirty days and put it on a sticky note too, please."
Option A is very bad.
-
Remember that password complexity is a myth. It's complex to a human but the computer cannot tell. p@55w0rd and password are exactly the same to a computer - they are both easily guessable eight character passwords. But to a human, one is trivial to remember and one gets a bit harder. You want length, not complexity, because length is "complexity to the computer" and not to a human. The goal is not to cripple the humans and force them to use the shortest, easiest to crack passwords possible but to stop a computer from guessing or brute forcing its way in.
So Option A if you goal is to break your users and get them to start writing down passwords.
Option B if you want to secure the computer systems.
Honestly, even 180 days I would not do. Still frequent enough to encourage too easy to guess passwords.
-
@scottalanmiller said:
Option A is definitely not secure and if I was auditing this would be a huge red flag. The two biggest enemies of password security are forced complexity and rapid changes. Humans can't remember complex passwords in general and the more often they change the worse it gets. That policy could be read as "make the simplest to guess password possible and increment it by one digit every thirty days and put it on a sticky note too, please."
Option A is very bad.
This times 1000+
-
@scottalanmiller said:
Honestly, even 180 days I would not do. Still frequent enough to encourage too easy to guess passwords.
And again I agree - yearly at best.
Personally 12+ (I'd really rather it be 16) change once a year or greater.
turn on account lockout after 5-10 bad attempts
auto reset account lockout attempts after 15min - 1 hour
If you can get 2FA - WOW awesome, but really probably not needed.Logs - Logs - Logs watch your logs, setup alerts when someone locks themselves out, so you are aware and can look into why it happened.
I had a rather large go around with management here about a year ago over this. I used to be on the other side of the fence. I still wanted long passwords, but I thought changing every 6 months (or more) was important. In the end that puts to much stress on the users, and stress causes them to do anything in their power to work around your security.
So I change my tune (and opinion) to be one of IT's job to watch the logs for breach attempts instead of having the users change more frequently. -
With Option A I would question the motivations of the company that put this in place. This is such a basic and fundamental anti-security practice that it is tantamount to social engineering and having engineered an intentionally insecure environment.
I'm not saying that the action is necessarily malicious, but it is a degree of incompetence that I would say qualifies as professional negligence if it wasn't malicious. And, of course, putting oneself in a position of consulting on security practices if one is that incompetent would be a form of malice (willing to put others at risk for person gain.) They may not have wanted to put the customer at risk, but were willing to do so rather than admit that they didn't understand security basics. It's a very entry level mistake for an IT person who isn't in a position to make recommendations to make, for someone responsible for these kinds of recommendations it's a pretty big deal.
-
@scottalanmiller This has been a huge problem for me and dealing with PCI and HIPAA throughout the years. PCI-DSS has a "minimum" recommendation of crazy complexity and change every 3 months. PCI-DSS, the anti-security initiative.
-
@scottalanmiller said:
With Option A I would question the motivations of the company that put this in place. This is such a basic and fundamental anti-security practice that it is tantamount to social engineering and having engineered an intentionally insecure environment.
This is a load of crap. Things are specifically designed and setup that way because that is what people have been taught. No company with something like that implemented have done anything wrong as you are implying.
Is what they implemented a good solution? No. But that fault lies with the bad education on what security is.
Every single bad implementation that is out there is not some company trying to maliciously sabotage themselves as you always imply Scott.
-
@travisdh1 said:
@scottalanmiller This has been a huge problem for me and dealing with PCI and HIPAA throughout the years. PCI-DSS has a "minimum" recommendation of crazy complexity and change every 3 months. PCI-DSS, the anti-security initiative.
Yup, no one can tell me that PCI is about being secure. And PCI consultants are even worse. The entire PCI ecosystem is a scam. The idea is great... security matters. But in practice, when someone says PCI it means that their systems are exposed. The biggest exposure that I've been called in to deal with this year (granted it wasn't that bad) was caused by a PCI audit causing firewalls to be disabled and leaving a network wide open. The PCI people didn't open it, they didn't know how networking worked and documented it as closed and people believed them and didn't check and see the insanely obvious "open ports" going on.
Anyone with a Network+ would have known not only what to check but figured out where the PCI people were screwing up and not even doing a real audit, it was all faked.
-
@JaredBusch said:
@scottalanmiller said:
With Option A I would question the motivations of the company that put this in place. This is such a basic and fundamental anti-security practice that it is tantamount to social engineering and having engineered an intentionally insecure environment.
This is a load of crap. Things are specifically designed and setup that way because that is what people have been taught. No company with something like that implemented have done anything wrong as you are implying.
Even people being taught wrong have a responsibility to implement common sense and make sure that what they are being taught and, far more important, repeating and implementing is real. Real security people have been teaching that this is terribly insecure for a very long time.
Just because they were told it doesn't mean that they have no responsibility for being capable of doing the job they are paid to do.
-
@JaredBusch said:
Every single bad implementation that is out there is not some company trying to maliciously sabotage themselves as you always imply Scott.
But most are, which you soundly reject. You forget that malice includes being willing to not do a good job for personal gain. It doesn't mean that they hate the company and want to hurt them, just that protecting them as they are paid to do isn't taken seriously and risk is incurred from doing so.
-
The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.
- Basic IT or computer or mathematical knowledge would mean that teaching something wrong like this would not matter. It's obviously wrong.
- Learning security by rote is fundamentally wrong. If someone is trying to be an advisor and doesn't understand what they are doing, that's not good security. Even if they were taught wrong, it is their responsibility to understand the factors which would make this very obviously not secure.
- Not putting in the necessary care for which you are entrusted is called professional negligence and is a form of malice. It's just for personal gain - to get a paycheck for a job you are not qualified to do. But it is a real thing. When paid as a professional advisor you take on a responsibility - and if you can't do that job, admitting it is part of that. This isn't getting a time frame wrong or not being able to complete a product but putting a business at risk not through something missed but through an intentional action that is harmful (through risk.)
- Not taking care to choose good education and mentorships falls to the actioner as well. This is hard, but just trusting others who are not capable doesn't remove all culpability.
-
The big issue here is that this is security related, not ease of use or something like that. We assume that someone was paid to secure the company and instead of securing it, they actively made it less secure than it would have been by default. It's actually worse than if they had done nothing.
-
@scottalanmiller said:
The bottom line is that this is very basic knowledge. You can say that people are taught wrong, and I agree. But the levels of responsibility here are big.
It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.
Let alone getting into anyone outside of IT.
-
@JaredBusch said:
It is most certainly not very basic knowledge. Most IT people do not even know how basic encryption works and have no chance ti understand why a complex password is not better than a simple one.
Let alone getting into anyone outside of IT.
Perhaps that is true. But it is setting an insanely low bar for IT. What's the first thing you learn about security? Well, that's never run as the admin. And the second is to never share accounts. But this still very basic stuff. Maybe you can excuse a first time help desker with never thinking about or learning how computers work (maybe, I'd have to consider that) but for a security decision maker?
-
And yes, I realise that sadly the bar for what people consider IT is insanely low. And that's why I only said that we should consider motivations, not take legal action. If this was from a firm advertising its security expertise, I would definitely recommend legal action, at the very least to get all audit costs, mitigation costs and payments returned.
If it turns out that they were just hiring some high school kid to run their IT and provided no training and required no training and were not paying for any expertise, then it is, to some degree, excusable. Not a "ah this happens to everyone" level of excuse, but enough that they should just be required to take some basic computer and security training.
As we don't know who implemented this, we don't know the scope of the issue. But there is every chance that this was an MSP claiming that they knew what they were doing rather than someone's nephew trying to "help out" without proper basic security training.
