Author Topic: User PW Validity  (Read 1082 times)

0 Members and 1 Guest are viewing this topic.

Offline Mmwwaaaa

  • Serf
  • *
  • Posts: 20
  • Cookies: 6
    • View Profile
User PW Validity
« on: February 23, 2016, 01:21:22 am »
Hey all,


So you have 10<>10,000 employees:

Do you A: Enforce they have a complex pw & only issue a change notice when breached..

OR

Should you B: Enforce that they change their pw every x amount of days/weeks...

The average human cannot keep up to standards with cryptography as it is.. By forcing them to change their pw we risk the fact that most people use/re-use they favourite pw.

Are we safer to let them stick with their favourite or should we enforce change?

Regards,
« Last Edit: February 23, 2016, 07:05:52 am by Kulverstukas »

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: User PW Validity
« Reply #1 on: February 23, 2016, 07:07:15 am »
We make them change the password once a year, and Windows GPO settings allows to set the complexity and history rules, so they don't reuse their passwords and have the required complexity.

Offline phoenixcoder

  • /dev/null
  • *
  • Posts: 7
  • Cookies: -3
    • View Profile
Re: User PW Validity
« Reply #2 on: February 23, 2016, 02:02:08 pm »
I think passwords should be changed every 4 weeks if the environment requires a high level of security and like Kulverstukas said, the password complexity and reuse can be configured as rules

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: User PW Validity
« Reply #3 on: February 23, 2016, 08:30:17 pm »
I think passwords should be changed every 4 weeks if the environment requires a high level of security and like Kulverstukas said, the password complexity and reuse can be configured as rules
So you write it down and put it under the keyboard?
Thats what happens IRL
« Last Edit: February 23, 2016, 08:31:47 pm by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline phoenixcoder

  • /dev/null
  • *
  • Posts: 7
  • Cookies: -3
    • View Profile
Re: User PW Validity
« Reply #4 on: February 23, 2016, 08:32:30 pm »

So you write it down and put it under the keyboard?
Thats what happens IRL

Seriously? That sentence made me cringe!

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: User PW Validity
« Reply #5 on: February 23, 2016, 08:38:15 pm »
Seriously? That sentence made me cringe!
You can not require from a human being to remember 12 new hard pwd's per account per year, its insane.
Instead 2 factor auth or padlocks provide a more secure method which also lowers stress on the users.
« Last Edit: February 23, 2016, 08:39:09 pm by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline phoenixcoder

  • /dev/null
  • *
  • Posts: 7
  • Cookies: -3
    • View Profile
Re: User PW Validity
« Reply #6 on: February 23, 2016, 08:40:01 pm »

You can not require from a human being to remember 12 new hard pwd's per account per year, its insane.
Instead 2 factor auth or padlocks provide a more secure method which also lowers the stress on the users.

Password managers are your friend, moreover some mobile counter parts has finger print access

Offline HTH

  • Official EZ Slut
  • Administrator
  • Knight
  • *
  • Posts: 395
  • Cookies: 158
  • EZ Titan
    • View Profile
Re: User PW Validity
« Reply #7 on: February 25, 2016, 12:02:14 pm »
thats cool bro, but i promise that all 10,000 of your employees will NOT be using a password manager and enforcing a rule where they have to would be stupid and add unnecessary complexity. (and 9,950 of them will only use your companies password in it anyway.

change once a year, maybe once every 6 months if user security is that high on the totem pole, use two factor if feasible, and dont allow reuse or simple passwords.

realistically most hacking situations involving user passwords being compromised happened because they reused it on something you DONT control (some bs website that got their db dumped, their cellphone, w/e) and in that case what really matters is UAC and ensuring the rest of your network is up to par.
<ande> HTH is love, HTH is life
<TurboBorland> hth is the only person on this server I can say would successfully spitefuck peoples women

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: User PW Validity
« Reply #8 on: February 25, 2016, 06:20:51 pm »
thats cool bro, but i promise that all 10,000 of your employees will NOT be using a password manager and enforcing a rule where they have to would be stupid and add unnecessary complexity. (and 9,950 of them will only use your companies password in it anyway.

change once a year, maybe once every 6 months if user security is that high on the totem pole, use two factor if feasible, and dont allow reuse or simple passwords.

realistically most hacking situations involving user passwords being compromised happened because they reused it on something you DONT control (some bs website that got their db dumped, their cellphone, w/e) and in that case what really matters is UAC and ensuring the rest of your network is up to par.
Thanks, I didnt know where to start with the punk  below, well said.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage