I am challenged with a personal want in changing the password policy. The current policy is rather insecure and with being the Systems Administrator/IT Manager I feel it is my job to make the environment secure; which of course is a given.
I want to enforce the policy over every one and here is what I want to do.
I want to:
- Enforce Password History - 9
- Maximum Password Age - 43
- Minimum Password Age - 21 Days
- Minimum Password Length - 14 Characters
- Password must meet complexity requirements - Disabled
- Store passwords using reversible encryption - Disabled
- Account Lockout Threshold - 6 invalid logon attempts
- Enforce Password History - 24
- Maximum Password Age - 365
- Minimum Password Age - 1 Day
- Minimum Password Length - 8 Characters
- Password must meet complexity requirements - Enabled
- Store passwords using reversible encryption - Disabled
- Account Lockout Threshold - 0 invalid logon attempts
Current it is set up as:
I am hoping the my policy will allow users to find more passwords that they can remember. I want users to not use the same passwords as others. I don't want them to easily pick a new password, or change their password all the time so they can just use their other password.
Upon bringing this up to a co-worker, I asked him what issues might come into play. I mentioned that the COO of the company will have an issue simply because he is the type of guy who gets what he wants. He will hate having to change his password, so this will be an issue. I know that users that are remote, and only use Outlook will have an issue, because they wont be able to connect to get email and will have to change their password. But how will they be able to change their password? One said person will be the CEO of the company who is mainly only using his phone for all email (client certificate authenticated) and also uses Outlook (username and password is required) on his non-domain joined PC.
I have read a few articles and this is what I set my policy torwards:
I then read a few other papers/articles:
- http://www.techrepublic.com/blog/security/are-users-right-in-rejecting-security-advice/3275 (biased)
- http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf
Article 2 is really not relevant for a company of the size that I work for. It is basically suggesting that passwords in general are bad and the policies to enforce security are more costly than actually mitigating an exploit because the policy didn't work.
We have to enforce the policies to help prevent passwords from being known and incurring the cost when removing the damage of a security breach. And doing so is starting by tightening our password policy from the not as secure one to the more secure one.
What do others suggest?
I know I can set policies based on users or groups so that it is less burdening, but really everyone in the company should have the same policy, if anything a more secure one than the one mentioned above if they have local admin rights, which can be applied to that specific user.