On Tue, Jan 3, 2012 at 2:44 AM, Måns Nilsson <mansa...@besserwisser.org>wrote:
> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at > 11:15:08PM +0000 Quoting Blake T. Pfankuch (bl...@pfankuch.me): > > However I would say 365 day expiration is a little long, 3 months is > about the average in a non financial oriented network. > If you force me to change a password every three months, I'm going > to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, > you lose. > [snip] A good use for expiration is to mitigate the risk that a password was guessed or accidentally leaked but not used yet to launch a detected attack / abuse the account -- expiration of the password doesn't destroy leaked data or uninstall malware, so it is not any sort of replacement for proper intrusion detection, security monitoring, and explicit incident response. It is more secure to have solid intrusion detection, alarms, or 2 factor auth. For internet-connected systems; 5 day, 10 day, 30 day, 60 day password expirations are fairly useless, because the intruder guesses the password one day, and probably abuses it in less than 24 hours; 6-month and 12-month expirations accomplish very similar, but much less of a nuisance. Chances are very good that if a password is leaked, it will be abused long before it expires, and if you don't detect the compromise, this means your intrusion detection systems have failed; expiration of the password doesn't erase the results of a successful compromise, or lock out the successful intruder. So password expiration is not a good crutch. A more effective expiration measure is to use 2-factor authentication, with one time passwords that expire within 30 seconds. Manual forced immediate password expiration should be in the security admin's toolbox as a possible response to observation of questionable or potentially remotely suspicious activity on a system that user had been logged into recently. -- -JH
