Something most established IT environments will have is a password policy.
This will say something like passwords lockout after 3 failed attempts, passwords must change every 3 months and meet certain character count requirements.
Whilst there is nothing outwardly wrong with having a password policy things have to move on, we no longer live in the 90s where we have one password and one device.
My suggestion would be to have password policies based on the impact of that password being breached against the likelyhood of that password being breached.
Or put it another way have some common sense around user passwords and treat them differently to service or secure passwords.
Sure have your company bullion locked behind a password that is 64 characters long, complex, locks after one failed attempt and changes every hour. However the average user account shouldn't be treated the same.
Have a password rating based on the business impact of that password being breached. This rating should determine what level of policy the password should have.
I hate the 3 strikes rule, irrespective of how many strikes you are allowed this is a denial of service attack on your own users.
I don't like my password changing either, again this leads to issues where a remote user might not complete the password change process correctly and end up with out of sync passwords. Add into this an iPhone or Android device connecting to email and you have a major service desk head ache.
I do like a long password which never changes or get locked out.
I read somewhere that a 14 character password will take a dedicated specialised application 5 seconds to crack when it has access to the hash of the password. Interesting but the likelyhood is that a person who is after a user's password will find social engineering far more effective and practical.
I think we should encourage our users to create their own "algorithm" for password creation, set the password once, and never lock it. Ok lets say change it once a year. I would also throw the idea of not writing passwords down in to the bin. Let your user own their own passwords. They will write them down anyway! You may find that people are more willing to choose complicated passwords if they feel they can write them down.
Here's a rubbish "starter for 10" on a user's algorithm....
SMTWTFS or JFMAMJJASOND
Obviously all this gumph is in your Security Policy right? What do you mean you don't have one! ;)
No comments:
Post a Comment