Comments on: Password Policy effects on Admins

By: secgeek

secgeek — Thu, 07 Apr 2005 11:59:19 +0000

I just want to apologize for the tone of the first reply I sent. I feel very strongly that all administration ID’s and functions should be audited and secured in a way that it can be independently proven that those ID’s were not used in a crime. I take Security very seriously and sometimes it show.
Peace

By: jimcusson

jimcusson — Wed, 06 Apr 2005 10:15:25 +0000

Keep the complexity but use it to create easier to remember passwords. As someone else said, use passphrases.
el2g2tm! is easy to remember when it translates into Everybody Loves 2 Go 2 The Movies! The auditors will love the “strong” password, it’s 8 characters and uses both numbers and specail characters. For the user, it’s easy to remember.

By: secgeek

secgeek — Wed, 06 Apr 2005 09:21:47 +0000

This gets to the heart of why most people that call themselves security aren’t. They are in fact an ethical embarrassment to the profession of Security officer. The thought that the law doesn?t apply to the sheriff is unconscionable and the true reason that Microsoft has never designed a good security system.

Administrative ID?s should be changed more often than regular users and should be held to higher password standards than regular users. Please don?t ever embarrass the title of Security with such questions ever again.

Peace

By: msitsec

msitsec — Wed, 06 Apr 2005 08:37:17 +0000

And don’t forget what the auditors will have to say about it. Not only is security first and formost on our minds, but now there is the big ‘C’ Compliance

By: stuffedmoose

stuffedmoose — Wed, 06 Apr 2005 07:46:30 +0000

The idea here is “security”. Shorter simpler passwords means you are more vulnerable. No, the complexity restriction cannot be by-passed and it shouldn’t be. If you can think up a shorter easier password, so can a brute-force hacker. Would you really want that to happen? Probably not.

By: shawnharbert

shawnharbert — Tue, 05 Apr 2005 18:48:21 +0000

Password policies are Domain specific and apply to ALL users within that domain. If you want to make an easier password policy for your admins, then I suggest you use Pass Phrases and NOT shorten or make simpler the passwords to accounts that hold the “keys” to your network. However, if you’re really stuck on wanting simpler passwords, stand up another domain in your Forest, move all of your admins to that domain, and manage the original domain with accounts from your new domain (this is NOT the suggested alternative!).