Some password advice
No not from me, but from the UK government.
GZ (thanks) sent a link through to this document https://www.gov.uk/government/
The document is a little bit different to many other such advise handed out by many organisations in that it is aimed more at system administrators rather than end users. As far as the actual advise to system administrators. It is nothing too revolutionary, but then we are dealing with passwords. And there isn't anything there that most of us wouldn't agree with. It does server as a little reminder that we should all be taking some care with passwords.
The 7 tips are:
- Change default passwords
- Help users deal with all their passwords
- Understand limitations of user generated passwords
- Understand limitations of machine generated passwords
- Prioritise Administrators and Remote user accounts
- Use account lockouts and protective monitoring
- Don't store passwords as plain text
None are earth shattering, yet all of us know that pretty much every organisation has users with passwords of Password123, Changeme, Welcome1 and of course Ashley Madison user favourites 123456. Numbers 1 and 7 feature in most penetration testing reports you read or write.
So whilst these tips provided by the UK government aren't new or fantastic I would encourage you to spend a few minutes reading the document and on Monday see how your organisation meets, exceeds or perhaps fails in one or more of them.
We'll be stuck with passwords for a while yet, we should at least make people work for them a bit harder.
Cheers
Mark H
Comments
At a previous job, when the company went public and I had my first encounter with an auditor, they were horrified that I didn't require frequent password changes... at least until I showed that I had a password cracker running 24x7 on a small cluster. My rule back then was "If I can crack it, you gotta change it".
In today's world of keystroke loggers I'm sure this policy would never pass, but requiring frequent password changes only (IMHO) encourages users to write passwords down or worse, save them in text files. (face-palm) Don't laugh, I've recently encountered a windows admin who did precisely this with all his credentials for network hardware, appliances, support accounts, etc, saying "but it's on a PROTECTED windows share... PROTECTED..."
Anonymous
Sep 15th 2015
9 years ago
Regarding staff forgetting their passwords or writing them down, the answer is to provide them with a password management tool not to ignore the policy all together.
Anonymous
Sep 16th 2015
9 years ago
Oh, absolutely. I shoulda made it clear that the admin who had his credentials stored in cleartext in a file was at a totally different company than the one where I was running a password cracker to test the strength of passwords that were in use. :-) At the small software shop where I ran the cracking systems, we had other sensible policies such as removing accounts when someone left, changing all passwords if someone with elevated privs left the company, etc.
And keep in mind this was a long time ago, back in the days when passwords (on most systems) couldn't be longer than 8 characters anyway - anything you typed beyond the first 8 characters was simply ignored in most systems.
Obviously, these days, password length and complexity is a balancing act we play to thwart brute-force cracking and regular password changes are done partly to thwart brute-forcing but mostly (IMHO) to deal with problems like "shoulder-surfing" or users sharing their passwords, entering them into a silly webform in a phish, writing them down, re-using the same credentials on every cloud app on the planet - password leakage basically.
As more 'n more stuff winds up in "Da Cloud!" (tm) we really should be looking more 'n more at using decent 2-factor instead of just a username/password pair which is rapidly becoming an anachronism.
Anonymous
Sep 17th 2015
9 years ago
Strong passwords are always worth for security and better if one could change password every month o run secure online.
Regards,
Asher ross
https://www.eukhost.com/
Anonymous
Sep 19th 2015
9 years ago
Oh, absolutely. I shoulda made it clear that the admin who had his credentials stored in cleartext in a file was at a totally different company than the one where I was running a password cracker to test the strength of passwords that were in use. :-) At the small software shop where I ran the cracking systems, we had other sensible policies such as removing accounts when someone left, changing all passwords if someone with elevated privs left the company, etc.
And keep in mind this was a long time ago, back in the days when passwords (on most systems) couldn't be longer than 8 characters anyway - anything you typed beyond the first 8 characters was simply ignored in most systems.
Obviously, these days, password length and complexity is a balancing act we play to thwart brute-force cracking and regular password changes are done partly to thwart brute-forcing but mostly (IMHO) to deal with problems like "shoulder-surfing" or users sharing their passwords, entering them into a silly webform in a phish, writing them down, re-using the same credentials on every cloud app on the planet - password leakage basically.
As more 'n more stuff winds up in "Da Cloud!" (tm) we really should be looking more 'n more at using decent 2-factor instead of just a username/password pair which is rapidly becoming an anachronism.[/quote]
Hi,
Cloud are secure and reliable ways to get data online, but it is worth if one could have a strong password and change it after few days.
Regards,
Asher ross
https://www.eukhost.com/
Anonymous
Sep 19th 2015
9 years ago