[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Best practices for password changing - remote users

Posted on 2011-10-25
17
Medium Priority
?
387 Views
Last Modified: 2012-06-27
Hi,

I administer an organization that uses a Microsoft domain (with an Exchange box), but also has many remote users that are not on the domain.  Right now, I maintain the passwords for the users (and they don't change), but I am sure that doing this opens us up to gaping security breaches. My question is: what are the best practices for password changing for remote users that are not on the domain i.e. laptop users.  If I set it so that each user maintains their own password, what if the user works 50 miles away and loses track of their password?

Thanks for any input,

Gary
0
Comment
Question by:frabus
17 Comments
 
LVL 14

Accepted Solution

by:
sentner earned 750 total points
ID: 37027188
Password best practices don't really change due to distance of the user.  They are responsible for remembering their own passwords.  The best thing you can do is give them guidance on how to choose a good secure password.

One way to do that is for the user to come up with a sentence around 8-10 words long, and use the first letter of each word for that sentence as the password, combined with some numbers or special characters, and mixed capitalization, or even to use full words together in a sentence as the password.  

A longer password is more secure than a shorter but complex password (i.e., a password like "thisismysecurepassword!" is much more difficult to break than "tismsp3#".  
0
 
LVL 12

Expert Comment

by:Gary Coltharp
ID: 37027204
You can still reset their AD password administratively....

Setting password policies that have 1.) minimum lenght, 2.) complexity requirements 3.) expiry are all good practices.

I would set expiry at 30 days. Lenght to no less that 8 characters. You can also set history so that they can reuse the same password. Complexity is up to you but can cause more password reset woes because they are more difficult to remember.
0
 
LVL 16

Assisted Solution

by:uescomp
uescomp earned 375 total points
ID: 37027228
The password that is suppose to be held by the end user is their responsibility to retain that information and that is not your fault if it gets lost or they cannot remember it.  

I have a couple users not on the domain but 1 question is do they vpn in to access files or use email in which they have an account on your domain but the system is not joined to it?  Also what i do for my remote users is I installed a remote utility on their system such as logmein etc and put in an admin account for myself, that way if they did ever lose their password I could always connect and clear it using the computer management console.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 11

Assisted Solution

by:itguy565
itguy565 earned 375 total points
ID: 37027229
Frabus,

First I have to say maintaining a password list in my experience is a bad idea. This leads to unnecessary administrative cost that could otherwise be avoided.

I would suggest since you have remote users to have the password policy set where the password changes every 30 days and requires the use of complex password. I would also ensure that the last 20 passwords are kept in memory and can't be used.

If the user lose their password then the administrator can reset the passwords or unlock user accounts with ease. This is what I would recommend. If you maintain a list of all the users passwords then you are just opening yourself up for a headache not to mention security risks.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 37027237
lol start typing and there are no replys finish typing and there are several.. Wow, I love expert exchange everyone willing to help :P
0
 
LVL 14

Expert Comment

by:sentner
ID: 37027326
I don't recommend setting expiration as often as 30 days.  As long as the complexity is sufficient to make it nearly impossible to crack a password within a certain timeframe, there's no need to change it during that time.  Requiring a non-dictionary password which is at least 12 characters long should make it so hard to break that even a modern supercomputer couldn't break it within a year or more.  Combine that with guidance for the user on how to create passwords that they can remember, and they will be less likely to write them down.  If people have to change their password every few weeks, they're much more likely to write them down somewhere, increasing the risk of them being stolen.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 37027890
Senter,

Modern security and cryptography techniques allow password to be broken much quicker than what you are describing. I would suggest looking into the concept and uses of Rainbow Tables. Password polcies are usually enfored with settings that are in the eye of the beholder. What I mean by this is anytime you are looking at implementing a policy you should use settings that best protect your business. In my case 30 days is a viable and very realistic setting based on a risk analysis that I conducted on the risk of a network intrusion and what that might cost my buisness in the event that it occured.

In reality it is really up to you and your company execs what you set for a password policy. Remember to always perform a risk analysis anytime you make changes.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 37028035
0
 
LVL 11

Expert Comment

by:itguy565
ID: 37028042
0
 
LVL 14

Expert Comment

by:sentner
ID: 37028068
itguy,

This is why I suggest longer passwords than the old standard of 8 characters.  Modern OSes (at least unix ones) are not very vulnerable to attacks such as you describe due to the way that their password one-way salted hash algorithms work. http://en.wikipedia.org/wiki/Rainbow_table#Defense_against_rainbow_tables

However, I agree that it's up to each company or group to decide what works best for them.  In my opinion, the (very slight) decrease in risk of password cracking from changing passwords regularly is outweighed by the much greater risk of passwords being stolen due to them being written down, emailed to themselves, saved in a text file, saved to their phone, etc.  Simply telling people not to write them down won't work since they will become frustrated after constantly forgetting their passwords.

Here's a great illustration of what I'm talking about:
http://xkcd.com/936/
0
 
LVL 11

Expert Comment

by:itguy565
ID: 37028069
When I saw this method I was humbled and immediately changed the security measure I had inplace on my network. I would suggest that all network admins take heed of this and look at their policies to ensure they are the best for their companies.
0
 
LVL 14

Expert Comment

by:sentner
ID: 37028205
itguy, according to those screenshots, passwords would be completely irrelevant if anyone could crack any password within a half hour.. My guess is that was a non-salted hash algorithm used to encrypt the passwords.  Do you have a source for that data?
0
 
LVL 11

Expert Comment

by:itguy565
ID: 37028223
Sentner,

Point taken, I agree that social enginnering is a big problem with it comes to network security and thus agree with you about written passwords. Your network security policy or computer use policy should address this and ensure that your users understand the do's and dont's of the corporate networking environment. Your statement about unix is true, however I have kept all my comments based on the Microsoft based platforms because the author is running a Microsoft Based Environment.
0
 
LVL 14

Expert Comment

by:sentner
ID: 37028516
Point taken.  Windows has of course always been much less secure than unix.  Windows 2008 I believe has solved (or at least reduced) the danger of this type of attack however, which is good.

0
 
LVL 11

Expert Comment

by:itguy565
ID: 37031594
Sentner,

The source for that data is http://www.rainbowtables.net/tutorials/matrix.php. I however have seen this in action first hand at DEFCON in Las Vegas. The times listed on that sheet are very viable and very real.
0
 
LVL 14

Assisted Solution

by:sentner
sentner earned 750 total points
ID: 37032639
I have no doubt that the info was real, I really just wondered what the password encryption type was that was used.  Of course this also requires that a hacker be able to gain access to the encrypted passwords in order to crack them.  As long as your auth system is well protected, that should not be an issue in itself.
0
 

Author Closing Comment

by:frabus
ID: 37034787
Thank you all for your insightful advice.  I’ll put the whole mess in my pipe and smoke it. (I won't inhale of course).
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question