User password age/complexity policy

security password

Has anyone got any resources for determining a reasonable password policy for my users? My personal leaning is to ratchet up password complexity and allow them to change them less often as a kind of compromise. It seems that my average user has a higher tolerance for mixing in some numbers and special characters than they had 5 or 10 years ago.

I'm looking for rules of thumb and/or resources I can use to back up my proposed policy changes. Or even anecdotal info from those with more experience.

(I'm far from a security guru, so if that's just to vague to deal with, let's narrow the question to apply just to internal Windows networking passwords, though I'd be interested in what people are doing in terms of VPN and web service policy)


Solution 1:

In today's world of random brute-force password attacks, I tend to agree with the statement that: a good password written down is better than a memorized password that is easy to guess

Solution 2:

Here's a good comparison of password strength:

http://www.lockdown.co.uk/?pg=combi

Solution 3:

You're doing the right thing by considering what your users are willing to work with. If you force highly complex passwords that must change frequently, you'll find your post-it note consumption will skyrocket.

Solution 4:

There's a sensible contribution to this topic from Gene Spafford at Purdue's CERIAS. Here's a partial quote:

So where did the “change passwords once a month” dictum come from? Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their “best practice” that they expected. It also got written into several lists of security recommendations.

This is DESPITE the fact that any reasonable analysis shows that a monthly password change has little or no end impact on improving security!
It is a “best practice” based on experience 30 years ago with non-networked mainframes in a DoD environment—hardly a match for today’s systems, especially in academia!

Related

How to keep: daily backups for a week, weekly for a month, monthly for a year, and yearly after that
How to delete hyper-v virtual switch extensions adapters from device manager
Why am I missing /var/run/sshd after every boot?
Intermittent error when using mod_proxy to do reverse proxy to SOAP service
Nginx $document_root$fastcgi_script_name vs $request_filename
Connect through SSH and type in password automatically, without using a public key
How effective is LSI CacheCade SSD storage tiering?
Does iowait include time waiting for network calls?
How to inject HTML code into every delivered HTML page?
HOSTS file being ignored
Why wget doesn't verify SSL certificates?
How to stop spammers from sending spam as me