It’s Friday: do you know what my password is?

admin September 26, 2008 security 6 Comments

Tags:

Courtesy of thinkgeek.com

Courtesy of thinkgeek.com

I’m trying to convince my staff that we should require really long passwords, never expire them, and run crack every year to check password strength. But they disagree, especially about the expiration issue. Any thoughts? Gurus I can consult? I checked Schneier but haven’t found a good reference yet.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “It’s Friday: do you know what my password is?”

  1. TT said:

    Sep 26, 08 at 12:29 pm

    Imo, expiration is not that helpful because of:
    * Increased support costs
    * Less user satisfaction
    * Users will have less secure passwords: they will use passwords that are easier to remember and therefore weaker, or they will write it on a sticky note, or they will cycle back through old passwords

    The time/money involved in supporting password expiration could be better spent training users in secure practices or maybe investing dongles for two-factor authentication.

    However expiration is useful for admin accounts. Folks with admin access _should_ be more technically savvy and able to cope.

  2. Kyle said:

    Sep 26, 08 at 2:41 pm

    I’m a big fan of long, difficult passwords that don’t expire. We have one of the three at my institution. Guess which one. ‘-)

  3. admin said:

    Sep 26, 08 at 5:10 pm

    I agree. I’m just trying to find some Official documentation that agrees with us. Kyle, I’m guessing that in the world of “good, fast, and cheap: pick two” you’ve somehow managed to end up with none of the above?

    What’s complicating this is that we have to sign off with various grant provisions that do say we need to expire passwords. Which is bad, for the reasons TT enumerates. But I’m willing to fly in the face of contracts if I can justify why an alternative is actually more secure. I just can’t say “because folks on my blog agreed with me.” I looked at Schneier and didn’t find anything. I looked at SANS and didn’t find anything there, either…

  4. Mom said:

    Sep 27, 08 at 2:15 pm

    Hi honey; it’s Mom. You gave us the best password. It’s complex, long, has a variety of components, and most amazing of all, Dad and I, in our advanced states of dottering old agedness, can remember it. Thank you; you rock.

  5. admin said:

    Sep 29, 08 at 5:01 pm

    Thanks, Mom! For the rest of you who might need to help your parents: I simply translated Mom and Dad’s license plates into a number using a simple alphabetic crypto scheme where A=1, B=2, etc, and added up the resulting numbers into one number, which I then prepended to the official AKC name of their second dog, followed by Pi to the same number of digits as they have drinks in a night. It’s really simple.

  6. Mom said:

    Oct 01, 08 at 5:55 am

    Nobody likes a smart “aleck”; we do love you, however.

Leave a Reply

You must be logged in to post a comment.