| Author |
Message |
Trevor Ryhorchuk
Guest
|
 Posted:
Tue Jan 18, 2005 10:53 pm Post subject:
Password Management |
|
|
I would like to find some information on password management best practices.
I have been asked whether it would be safe for us to keep a file, available
over the network, that lists all of our passwords. Not just for our software
but for the websites we access as well. We are going to be moving over to
Microsoft Small Business Server so that we can have Outlook on exchange
server and be able to share contacts etc.
Any direction will be appreciated.
TDR |
|
| Back to top |
|
 |
Phillip Windell
Guest
|
| Posted:
Tue Jan 18, 2005 11:11 pm Post subject:
Re: Password Management |
|
|
"Trevor Ryhorchuk" <TrevorRyhorchuk@discussions.microsoft.com> wrote in
message news:5E16C78A-75BE-4CEE-B527-8721DBA02DA1@microsoft.com...
| Quote: | I would like to find some information on password management best
practices.
I have been asked whether it would be safe for us to keep a file,
available
over the network, that lists all of our passwords.
|
That question is sure to start some excitment. People will be beating each
other senseless once they start arguring over the right answer. Keeping
lists will only work if the passwords never change or rarely change,..it is
impossible to maintain if password policy forces regular password changes.
If you keep a list,...keep it secured and safe,...keep it *very* secured and
safe.
You also can never accuse a user of anything because his defense wold be
that since a record is kept of the passwords anyone who could have aquired
the list could have "impersonated" him, therefore it is impossible to prove
guilt inspite of what the server logs may say.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com |
|
| Back to top |
|
|
daniel
Guest
|
| Posted:
Tue Jan 18, 2005 11:14 pm Post subject:
Re: Password Management |
|
|
any file on your network accessible by anyone at all is subject to
interception, theft and of course user interaction.
so no password file at all period
passwords to be secure should meet a minimum length and complexity and
should be changed at regular intervals.
passwords should not be saved for web pages or vpns or any other important
accounts as the protected storage where windows stores such information is
easily decrypted.
so to recap
definitely no password file unless it is a paper copy in a secure location.
change passwords every 14 days or so
have a password longer than 15 characters to avoid easily decrypted LM
hashes.
require the users to have a mixture of numbers and letters both lower and
upper case that spell no known words.
In practice this is extremely hard to enforce, and you will be inundated
with users who cannot remember their passwords if you take me literally.
the practical answer try fairly complex passwords (definitely more than six
but eight or nine will do) that do not include their own names, and make
them change them regularly.
"Trevor Ryhorchuk" <TrevorRyhorchuk@discussions.microsoft.com> wrote in
message news:5E16C78A-75BE-4CEE-B527-8721DBA02DA1@microsoft.com...
| Quote: | I would like to find some information on password management best
practices.
I have been asked whether it would be safe for us to keep a file,
available
over the network, that lists all of our passwords. Not just for our
software
but for the websites we access as well. We are going to be moving over to
Microsoft Small Business Server so that we can have Outlook on exchange
server and be able to share contacts etc.
Any direction will be appreciated.
TDR |
|
|
| Back to top |
|
|
Trevor Ryhorchuk
Guest
|
| Posted:
Wed Jan 19, 2005 12:03 am Post subject:
Re: Password Management |
|
|
Thanks for the input, I can see how there could be potential for abuse, so
although it would be nice to have a central password repository the best
practice would be for everyone to maintain their own list in a safe place and
change the passwords regulary.
Thanks again,
TDR
"daniel" wrote:
| Quote: | any file on your network accessible by anyone at all is subject to
interception, theft and of course user interaction.
so no password file at all period
passwords to be secure should meet a minimum length and complexity and
should be changed at regular intervals.
passwords should not be saved for web pages or vpns or any other important
accounts as the protected storage where windows stores such information is
easily decrypted.
so to recap
definitely no password file unless it is a paper copy in a secure location.
change passwords every 14 days or so
have a password longer than 15 characters to avoid easily decrypted LM
hashes.
require the users to have a mixture of numbers and letters both lower and
upper case that spell no known words.
In practice this is extremely hard to enforce, and you will be inundated
with users who cannot remember their passwords if you take me literally.
the practical answer try fairly complex passwords (definitely more than six
but eight or nine will do) that do not include their own names, and make
them change them regularly.
"Trevor Ryhorchuk" <TrevorRyhorchuk@discussions.microsoft.com> wrote in
message news:5E16C78A-75BE-4CEE-B527-8721DBA02DA1@microsoft.com...
I would like to find some information on password management best
practices.
I have been asked whether it would be safe for us to keep a file,
available
over the network, that lists all of our passwords. Not just for our
software
but for the websites we access as well. We are going to be moving over to
Microsoft Small Business Server so that we can have Outlook on exchange
server and be able to share contacts etc.
Any direction will be appreciated.
TDR
|
|
|
| Back to top |
|
|
Trevor Ryhorchuk
Guest
|
| Posted:
Wed Jan 19, 2005 12:05 am Post subject:
Re: Password Management |
|
|
Thanks Phillip!!
"Phillip Windell" wrote:
| Quote: | "Trevor Ryhorchuk" <TrevorRyhorchuk@discussions.microsoft.com> wrote in
message news:5E16C78A-75BE-4CEE-B527-8721DBA02DA1@microsoft.com...
I would like to find some information on password management best
practices.
I have been asked whether it would be safe for us to keep a file,
available
over the network, that lists all of our passwords.
That question is sure to start some excitment. People will be beating each
other senseless once they start arguring over the right answer. Keeping
lists will only work if the passwords never change or rarely change,..it is
impossible to maintain if password policy forces regular password changes.
If you keep a list,...keep it secured and safe,...keep it *very* secured and
safe.
You also can never accuse a user of anything because his defense wold be
that since a record is kept of the passwords anyone who could have aquired
the list could have "impersonated" him, therefore it is impossible to prove
guilt inspite of what the server logs may say.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
|
|
|
| Back to top |
|
|
Phillip Windell
Guest
|
| Posted:
Wed Jan 19, 2005 12:15 am Post subject:
Re: Password Management |
|
|
"Trevor Ryhorchuk" <TrevorRyhorchuk@discussions.microsoft.com> wrote in
message news:F670EE0E-A12F-4D9D-8921-5828AB0FCA59@microsoft.com...
| Quote: | Thanks for the input, I can see how there could be potential for abuse, so
although it would be nice to have a central password repository the best
practice would be for everyone to maintain their own list in a safe place
and
change the passwords regulary.
|
No. That would be worse. Securing *one* password list is difficult
enough,...how are you going to secure *many* when their security depends on
whoever the "everyone" happens to be.
Changing password regularly is fine.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com |
|
| Back to top |
|
|
daniel
Guest
|
| Posted:
Wed Jan 19, 2005 1:03 am Post subject:
Re: Password Management |
|
|
I couldn't have made it clearer 'no list PERIOD'
I like to help but don't misquote me please.
"Trevor Ryhorchuk" <TrevorRyhorchuk@discussions.microsoft.com> wrote in
message news:5E16C78A-75BE-4CEE-B527-8721DBA02DA1@microsoft.com...
| Quote: | I would like to find some information on password management best
practices.
I have been asked whether it would be safe for us to keep a file,
available
over the network, that lists all of our passwords. Not just for our
software
but for the websites we access as well. We are going to be moving over to
Microsoft Small Business Server so that we can have Outlook on exchange
server and be able to share contacts etc.
Any direction will be appreciated.
TDR |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in