Best practices for password changing - remote users

Hi,

I administer an organization that uses a Microsoft domain (with an Exchange box), but also has many remote users that are not on the domain.  Right now, I maintain the passwords for the users (and they don't change), but I am sure that doing this opens us up to gaping security breaches. My question is: what are the best practices for password changing for remote users that are not on the domain i.e. laptop users.  If I set it so that each user maintains their own password, what if the user works 50 miles away and loses track of their password?

Thanks for any input,

Gary
frabusAsked:
Who is Participating?
 
sentnerCommented:
Password best practices don't really change due to distance of the user.  They are responsible for remembering their own passwords.  The best thing you can do is give them guidance on how to choose a good secure password.

One way to do that is for the user to come up with a sentence around 8-10 words long, and use the first letter of each word for that sentence as the password, combined with some numbers or special characters, and mixed capitalization, or even to use full words together in a sentence as the password.  

A longer password is more secure than a shorter but complex password (i.e., a password like "thisismysecurepassword!" is much more difficult to break than "tismsp3#".  
0
 
Gary ColtharpSr. Systems EngineerCommented:
You can still reset their AD password administratively....

Setting password policies that have 1.) minimum lenght, 2.) complexity requirements 3.) expiry are all good practices.

I would set expiry at 30 days. Lenght to no less that 8 characters. You can also set history so that they can reuse the same password. Complexity is up to you but can cause more password reset woes because they are more difficult to remember.
0
 
uescompCommented:
The password that is suppose to be held by the end user is their responsibility to retain that information and that is not your fault if it gets lost or they cannot remember it.  

I have a couple users not on the domain but 1 question is do they vpn in to access files or use email in which they have an account on your domain but the system is not joined to it?  Also what i do for my remote users is I installed a remote utility on their system such as logmein etc and put in an admin account for myself, that way if they did ever lose their password I could always connect and clear it using the computer management console.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
ITguy565Commented:
Frabus,

First I have to say maintaining a password list in my experience is a bad idea. This leads to unnecessary administrative cost that could otherwise be avoided.

I would suggest since you have remote users to have the password policy set where the password changes every 30 days and requires the use of complex password. I would also ensure that the last 20 passwords are kept in memory and can't be used.

If the user lose their password then the administrator can reset the passwords or unlock user accounts with ease. This is what I would recommend. If you maintain a list of all the users passwords then you are just opening yourself up for a headache not to mention security risks.
0
 
ITguy565Commented:
lol start typing and there are no replys finish typing and there are several.. Wow, I love expert exchange everyone willing to help :P
0
 
sentnerCommented:
I don't recommend setting expiration as often as 30 days.  As long as the complexity is sufficient to make it nearly impossible to crack a password within a certain timeframe, there's no need to change it during that time.  Requiring a non-dictionary password which is at least 12 characters long should make it so hard to break that even a modern supercomputer couldn't break it within a year or more.  Combine that with guidance for the user on how to create passwords that they can remember, and they will be less likely to write them down.  If people have to change their password every few weeks, they're much more likely to write them down somewhere, increasing the risk of them being stolen.
0
 
ITguy565Commented:
Senter,

Modern security and cryptography techniques allow password to be broken much quicker than what you are describing. I would suggest looking into the concept and uses of Rainbow Tables. Password polcies are usually enfored with settings that are in the eye of the beholder. What I mean by this is anytime you are looking at implementing a policy you should use settings that best protect your business. In my case 30 days is a viable and very realistic setting based on a risk analysis that I conducted on the risk of a network intrusion and what that might cost my buisness in the event that it occured.

In reality it is really up to you and your company execs what you set for a password policy. Remember to always perform a risk analysis anytime you make changes.
0
 
ITguy565Commented:
0
 
ITguy565Commented:
0
 
sentnerCommented:
itguy,

This is why I suggest longer passwords than the old standard of 8 characters.  Modern OSes (at least unix ones) are not very vulnerable to attacks such as you describe due to the way that their password one-way salted hash algorithms work. http://en.wikipedia.org/wiki/Rainbow_table#Defense_against_rainbow_tables

However, I agree that it's up to each company or group to decide what works best for them.  In my opinion, the (very slight) decrease in risk of password cracking from changing passwords regularly is outweighed by the much greater risk of passwords being stolen due to them being written down, emailed to themselves, saved in a text file, saved to their phone, etc.  Simply telling people not to write them down won't work since they will become frustrated after constantly forgetting their passwords.

Here's a great illustration of what I'm talking about:
http://xkcd.com/936/
0
 
ITguy565Commented:
When I saw this method I was humbled and immediately changed the security measure I had inplace on my network. I would suggest that all network admins take heed of this and look at their policies to ensure they are the best for their companies.
0
 
sentnerCommented:
itguy, according to those screenshots, passwords would be completely irrelevant if anyone could crack any password within a half hour.. My guess is that was a non-salted hash algorithm used to encrypt the passwords.  Do you have a source for that data?
0
 
ITguy565Commented:
Sentner,

Point taken, I agree that social enginnering is a big problem with it comes to network security and thus agree with you about written passwords. Your network security policy or computer use policy should address this and ensure that your users understand the do's and dont's of the corporate networking environment. Your statement about unix is true, however I have kept all my comments based on the Microsoft based platforms because the author is running a Microsoft Based Environment.
0
 
sentnerCommented:
Point taken.  Windows has of course always been much less secure than unix.  Windows 2008 I believe has solved (or at least reduced) the danger of this type of attack however, which is good.

0
 
ITguy565Commented:
Sentner,

The source for that data is http://www.rainbowtables.net/tutorials/matrix.php. I however have seen this in action first hand at DEFCON in Las Vegas. The times listed on that sheet are very viable and very real.
0
 
sentnerCommented:
I have no doubt that the info was real, I really just wondered what the password encryption type was that was used.  Of course this also requires that a hacker be able to gain access to the encrypted passwords in order to crack them.  As long as your auth system is well protected, that should not be an issue in itself.
0
 
frabusAuthor Commented:
Thank you all for your insightful advice.  I’ll put the whole mess in my pipe and smoke it. (I won't inhale of course).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.