On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote:
>
> On Jan 3, 2012, at 4:14 AM, Måns Nilsson wrote:
>
>> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at
>> 11:15:08PM +0000 Quoting Blake T. Pfankuch (bl...@pfankuch.me):
>>
>>> However I would say 365 day expiration is a little long, 3 months is about
>>> the average in a non financial oriented network.
>>
>> If you force me to change a password every three months, I'm going
>> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result,
>> you lose.
>>
>> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc,
>> and we're all doomed, or they will be lucky and guess. None of these
>> attack modes will be mitigated by the 3-month scheme; success/fail as
>> seen by the bad guys will be a lot quicker than three months. If they
>> do not get lucky with john or rainbow tables, they'll move on.
>>
>> (Some scenarios still are affected by this, of course, but there is a
>> lot to be done to stop bad things from happening like not getting your
>> hashes stolen etc. On-line repeated login failures aren't going to work
>> because you'll detect that, right? )
>>
>> Either way, expiring often is the first and most effective step at making
>> the lusers hate you and will only bring the Post-It(tm) makers happy.
>>
>> If your password crypto is NSA KW-26 or similar, OTOH, just
>> don the Navy blues and start swapping punchcards at 0000 ZULU.
>> (http://en.wikipedia.org/wiki/File:Kw-26.jpg)
>>
>> --
>> Måns Nilsson primary/secondary/besserwisser/machina
>> MN-1334-RIPE +46 705 989668
>> Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!!
>
>
> A side issue is the people who use the same password at fuzzykittens.com as
> they do at bankofamerica.com. Of course fuzzykittens doesn't need high
> security for their password management and storage. After all, what's worth
> stealing at fuzzykittens? All those passwords. I use and recommend and use a
> popular password manager, so I can have unique strong passwords without
> making a religion out of it.
>
It's not a side issue; in my opinion it's a far more important issue in
most situations. I do the same thing that you do for all but my most
critical passwords.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
