Has anyone got any resources for determining a reasonable password policy for my users? My personal leaning is to ratchet up password complexity and allow them to change them less often as a kind of compromise. It seems that my average user has a higher tolerance for mixing in some numbers and special characters than they had 5 or 10 years ago.
I'm looking for rules of thumb and/or resources I can use to back up my proposed policy changes. Or even anecdotal info from those with more experience.
(I'm far from a security guru, so if that's just to vague to deal with, let's narrow the question to apply just to internal Windows networking passwords, though I'd be interested in what people are doing in terms of VPN and web service policy)
In today's world of random brute-force password attacks, I tend to agree with the statement that: a good password written down is better than a memorized password that is easy to guess
Here's a good comparison of password strength:
You're doing the right thing by considering what your users are willing to work with. If you force highly complex passwords that must change frequently, you'll find your post-it note consumption will skyrocket.
There's a sensible contribution to this topic from Gene Spafford at Purdue's CERIAS. Here's a partial quote:
So where did the “change passwords once a month” dictum come from? Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their “best practice” that they expected. It also got written into several lists of security recommendations.
This is DESPITE the fact that any reasonable analysis shows that a monthly password change has little or no end impact on improving security!
It is a “best practice” based on experience 30 years ago with non-networked mainframes in a DoD environment—hardly a match for today’s systems, especially in academia!
I'm much more in favour of longer password (which, realistically, means as in multi-word phrases in you're going to remember them) instead of mixing in words and numbers. If you force people to add numbers, they're more likely to do simple things like replace i with 1 etc. which doesn't gain you very much security.
There are tons on material on Password Policies. I recommend taking a look at
Now, something must be said about password sanity. The fact is that password that are hard to remember are written down. The same goes for passwords that must be changed too often. The bottom line, it depends on what you're protecting and your userbase.
The policy should reflect what the users are using the computers for, how sensitive information the user handle on it. If it is just to contain the users preferences you do not really need it heavily fortified if everything else is in place to repel attacks. If the opposite is the case I would rather have annoyed users moaning about complex passwords to remember.
I have about 20-some complex passwords in my head at all times, and I have started creating them using patterns on the keyboard to remember them by. It makes it easier as I only need to know the starting point and what kind of pattern to make. Everybody hates changing passwords, but this technique allows me to change them around easily and remember them, so security is tight.. for me at least. I can even note down one letter on a piece of paper and still recall what pattern to make, and I don't really remember things too well. If this has any use for anyone however.. I don't know.
Writing down a complex password without obfuscating it seems just wrong to me. If someone is trying to break into a computer physically you can be sure they will look for some tell-tale.
I believe, when I worked for a healthcare institution, that some of our requirements came from HIPAA. I haven't looked at the SOX regs (which I guess I now adhere to in the insurance world), but they may have some similar language as a basis for this sort of thing.
Beyond that, if you're part of a larger IT organization (sub-division in a larger corporation) the corporation may have rules that could be adhered to.
Bottom line needs to be that, whatever policy gets implemented, it be blessed by senior management, and preferably written up in a security or IT policy that all staff need to be made aware of/adhere to. It doesn't need to be draconian (change password every 180 days, combination of alpha and numerics), but it should be company policy so everyone is crystal clear on the requirement.
Been some good suggestions so I'm just going to add this:
As long as you're able to make sure that you can be exempt from the policy... I have a good memory, so personally I prefer to be able to use a 18 character password that's ridiculously complex for 6 months or more than a simple one that I have to change once a month.
Keep in mind that a 16 character password that uses only lowercase and uppercase letters and spaces gives 53^16 combinations or 3.876*10^27, whereas 10 character passwords that use lowercase and uppercase letters, numbers and symbols only gives 95^10 or 5.987*10^19.