I have windows domain that needs a password policy. Right now there isn't one. Anyone have feedback on a good balance between weak passwords and users having passwords so strong they just write them down?
Since no one has a expiring password I thought I could phase in users by removing the "Password never expires" property from their user account. That way the I (and the help desk) don't get so slammed with questions/password resets. Any feedback?
The National Institute of Standards and Technology (NIST) has some good publications on computer security topics. They are great resources... the publication that you are looking for is NIST Special Publication 800-53. (Believe me, its not as bad as it sounds)
IMO a password policy should be something like this:
Bear in mind that the more restrictive your policy, the more times you'll be called upon by users who need accounts unlocked, or passwords reset. The less restrictive your policy, the more risk you expose your organisation to.
By default, you can not define how complex a domain password policy is (up to 2003 at least). There are ways and means of changing the rules, but from my understanding it's exceptionally convoluted, and not for the feint of heart. In other words, you can not decide you want your users passwords to be 3 caps, 2 special, 2 numeric etc.
Here's what will be set when you Enable the Password must meet complexity requirements setting in the Default Domain group policy:
What you can set however, is:
Across all our domains we use complexity, 8 character minimum, 14 day minimum age, 90 day maximum age, 14 password history, 5 invalid login attempts, 30 min lockout duration
duffbeer703's link is good. There are some technical reasons for certain password limitations and minimum requirements. You especially need to explore these limitations if you're not in a completely homogeneous environment.
Anyhow, the 8 character, three of four character group rule is pretty standard. What I personally do is train my users to create passphrases instead of passwords. This makes coming up with passwords much easier, and they don't spend as much time trying to figure out how to work in all of those character requirements. A password like "It's sunny. Yippee!" is easy enough to come up with and remember.
There's a problem with this approach, however if people use proper English grammar when they're writing their passphrases, and thereby limit somewhat the total number of possible combinations. That is, a password that always starts with a capital letter and ends with a period isn't stronger just because it contains a capital letter and a period, it's weaker because we can guess this in advance.
The other standard Windows domain rules are fine, IMO, except that I only require a password change every quarter. Personally I'm not sold on the notion of password expiration. Even thirty days is an eternity if an account is compromised. Anyhow, people get really irate when they have to change a password.
Since not even the security experts can agree on a good middle ground on anything related to passwords, I say that most advice on any extreme is just stupid unless you're specifically in a high security situation. What I think is most important, and what I have users actually sign off on, is a statement similar to: "DO NOT EVER SHARE YOUR PASSWORD WITH ANYONE. I DON'T CARE WHO THEY ARE OR WHY THEY NEED TO GET ON YOUR COMPUTER WHEN YOU'RE ON VACATION. THE SECURITY OF YOUR PASSWORD IS YOUR RESPONSIBILITY." The single greatest abuse of accounts from what I've seen comes from people sharing passwords. All the other 133t hacker stuff is a barely a concern in a regular old business.
Well, you know your users best, so if you think that making the passwords expire is the way to go, then go for it. Its as good an option as any.
As for password policy, it is always a tradeoff between perfect security (ie 13 characters long, 4 caps, 2 symbols, 3 numbers, the rest lowercase) and perfect convenience (ie no policy whatsoever... autologin). Basically, if you go too far to security, you find people with their passwords taped to the bottom of their keyboards or on a post it beside their monitor, and if you go to far towards convenience, you get poor security and easily guessed passwords.
For our org, we require at least a 7 character password, with at least 1 number, 1 capital, and 1 lowercase letter (a symbol can be used for any of the requirements). That seems to work well for our users, and gets no pushback from them. Good luck, hope this helps.
The Nist publication is OK, your domain pasword policy is not as important as education of the users to not share their passwords. There is nothing intrinsically wrong with a nonexpiring password so long as it's not taped to their keyboard and they dont share it. Basically any parameters you set will be just fine, the 2 biggest things to think about are:
account lockout threshold (invalid login attempts) account lockout duration
What this limits is the abilty of folks to brute force your security. I usually recommend a threshold of 5 and a duration of 2 hours, but that certainly depends on the situation. As Boden pointed out, not even secrity experts can agree on what a secure password policy is. In fact I'd implement server and domain isolation before I'd worry about my password policy. At that point I'll give you my password- you're still not getting into my resources.
Some guidelines from the field :)
Educate users that longer the password better, even if its not complex. (proven study shows small password with high complexity get cracked faster than longer simpler passwords)
Keep password expiry as the multiple of 7 like 28, 42, 91. This ensures that periodic password resets after expiry are spread out evenly in terms of weekdays. This matters when you have thousands of accounts. e.g. if you have reset your password on Monday, your next password expiry will come on Monday only.
Keep sensible account lockout policy. start with something moderate and then monitor related helpdesk calls and tweak the lockout policy as required. e.g. too many calls then relax the lockout policy a bit.
If possible buy a password self service product, so that users can themselves reset password or unlock their accounts. ( Roughly 30% to 40% of helpdesk calls are related here)
Lastly use a password cracking tool to periodically check strength of password set by people and warn people with very simple passwords to choose better. Remember hackers just need one account to get in your network.
One big thing to remember with password never expires. Once you put a password policy in effect, if the password would have expired based on the last change, as soon as you toggle that flag off, the password will be expired. So you'll need to alert users to this fact.
Microsoft's high security recommendation for Windows Server 2003 used to be:
However, this didn't sit well with the auditors I've interacted with. The most lenient I've seen wanted a 24 hour unlock and no more than 10 failures in a 24 hour period with a 60 day expiration. The least lenient I've seen is no automatic unlock with no more than 3 failures in a 24 hour period with a 30 day expiration. All were consistent in a minimum character length of 8 with complexity turned on with the full 24 passwords remembered.
You could implement passphrases instead of passwords. So something like "Why are passwords so complex?" could be a password.
yep, i agree with adam-brand and have found it works in practice, something to advertise to your users could be this XKCD comic:
http://xkcd.com/936/