configure strong admin password policy

Question

Hey,

Just wondering if there are more password policies beyond the generic ones such as "minimum password age", "password must meet complexity requirements", etc. I would like to create stronger password policies for the administrators. Is there a way to add more complexity to the password requirements?

Another thing, is there a way to prevent users from doing stuff like this:

old password: password1 (expires...) new password: password2 (expires...) etc.

We find that a lot of users are just adding a new number to the end of their password.

Thanks in advance,

Matt

Answer 1

We find that a lot of users are just adding a new number to the end of their password.

This is a well known problem with password complexity and, especially, ageing requirements - they often reduce security as people will write down passwords as they can't remember them. If your users are doing this then it's a good indication that you are expiring passwords too quickly.

See also: Password complexity strategies - any evidence for them?

Answer 2

Password strength and usability are often at odds these days. If you're part of a forward thinking organization, the best technique that I've found is to encourage users to make use of applications that both solve your problem and theirs, such as Password Managers. KeePass and Password Safe are two such applications, but there are many others. Here is the new policy:

• Encourage users to create 1 strong password that they own and maintain which is the password to their local/private encrypted database.
• Ask them to use the built in functionality for generating random, strong passwords.
• Encourage them to simply use the copy/paste functionality from the password manager to your application

There are several pros / cons to this approach; but believe me, users are happier when they don't have to deal with all of the unfriendly nonsense required by passwords these days AND they might actually stop short cutting your policies.

Answer 3

Just wondering if there are more password policies beyond the generic ones such as "minimum password age", "password must meet complexity requirements", etc. I would like to create stronger password policies for the administrators. Is there a way to add more complexity to the password requirements?

Minimum and maximum password age, password history (goes with the minimum age), a one-time pad, a crypto-based approach using crypto hardware like tokens or smartcards, .... lots of security options.

If you just want to make the password itself more complex, ... just decide what your goals are (e.g. want to avoid being in rainbow tables, want to make an attack take at least X hours/days/weeks/months) and chose your complexity requirements based on that.

If you say that the password must contain letters, numbers, symbols, be at least 16 characters, and have no words in it (including leeted words), you're probably reasonably safe, except for the fact that your admins have written the password down and put it under their keyboard.

Another thing, is there a way to prevent users from doing stuff like this:

old password: password1 (expires...) new password: password2 (expires...) etc.

We find that a lot of users are just adding a new number to the end of their password.

This one is easy. It is common to combine a minimum password age with keeping N historical (but definitely NOT the current password) passwords in cleartext to prevent people from re-using the passwords quickly. Simply decide how different new passwords must be, and check the edit distance of the new password from each historic password.