Re: Service accounts with password expiration


"Alun Jones" wrote:

A photocopied *** of paper was found, with a list of account names and
passwords. It had obviously fallen out of someone's pocket or wallet without
them noticing.

If that happens, expiring the passwords every x days is about as much use as
putting the pin back in the grenade after it's exploded. The important thing
is to change the passwords NOW, and then take steps to ensure this doesn't
happen again. Using a 'password-safe' program is one option.

A key issue with expiring system-account passwords is the risk of backups
being blocked by the changes. This could lead to a catastrophic data-loss
situation, and is potentially a far greater risk than that of passwords being
misappropriated.

Password-expiry is a soapboxer's favorite rant, yet an application of the
Mk1 Brain to the situation discloses that it adds very little to security. If
a password is compromised, chances are that any malicious damage will be done
long before the password expires. Probably within minutes of the intrusion.
Also, changing the password (to another of equal strength) during a
brute-force attempt makes NO difference to the odds of the attack succeeding
or failing.

A further point, often misunderstood, is that password-expiry does NOT
prevent disused accounts from being resurrected for malicious purposes. This
is particularly a concern where the user had remote-access to the system.
Strangely, despite its faddist password rules, Windows 2003 still possesses
no mechanism for closing/suspending disused accounts, so there is a need for
diligence here.

The key to good security is to use strong, nondictionary passwords, and make
sure that staff take password-security seriously, and do not allow passwords
to be leaked through carelessness.


.

Quantcast