AD and enforced password policies

Jimmy Hess mysidia at gmail.com
Tue Jan 3 22:58:35 CST 2012


On Tue, Jan 3, 2012 at 2:44 AM, Måns Nilsson <mansaxel at besserwisser.org>wrote:

> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at
> 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me):
> > However I would say 365 day expiration is a little long, 3 months is
> about the average in a non financial oriented network.
> If you force me to change a password every three months, I'm going
> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result,
> you lose.
>
[snip]
A good use for expiration is to mitigate the risk that a password was
guessed or accidentally leaked but not used yet to launch a detected attack
/ abuse the account -- expiration of the password doesn't destroy leaked
data or uninstall malware,  so it is not any sort of replacement for proper
intrusion detection, security monitoring,  and explicit incident response.

It is more secure to have solid intrusion detection, alarms, or 2 factor
auth.

For internet-connected systems;  5 day, 10 day, 30 day, 60 day password
expirations are fairly useless, because the intruder guesses the password
one day, and probably abuses it in less than 24 hours;   6-month and
12-month expirations accomplish very similar, but much less of a
nuisance.    Chances are very good that if a password is leaked, it will be
abused long before it expires,  and if you don't detect the compromise,
this means your intrusion detection systems have failed;  expiration of the
password doesn't erase the results of a successful compromise,  or lock out
the successful intruder.

So password expiration is not a good crutch.


A more effective expiration measure is to use  2-factor authentication,
with one time passwords that expire within 30 seconds.


Manual forced immediate password expiration should be in the security
admin's toolbox  as a possible response to observation of questionable or
potentially remotely suspicious activity on a system that user had been
logged into recently.

--
-JH


More information about the NANOG mailing list