What is more important password expiration, complexity or something else?

I was holding a conversation today about password expiration and I have decided it isn’t so much about the password strength or the time between password changes. Looking at it passwords are a primary method used to control access to resources. Because authenticated access is seldom logged, a compromised password is a way to explore a system without causing suspicion. An attacker with a compromised password can access any resource available to that user. So it really comes down to protecting the area that passwords are stored not.

A great example is using a password cracker like Ophcrack, you can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. Now granted it is using Rainbow tables, but ultimately if you your SAM file or /etc/passwd /etc/shadow files are compromised your pretty much history. Additionally, if you limit failed attempts with lock outs (or a limited time lockout) I think you are going to prevent the brute force attacks.

Poor passwords or blank passwords are still a common occurrence on many networks. Many users still use dictionary words, hybrids, names, and default passwords. Additionally passwords less than 8 characters and passwords that are the same as the username are also frequently used. These types of passwords can be cracked within minutes or even seconds using any number of publicly available password crackers.

General guidelines for password security include:

• Passwords should be 12 or more characters in length on Windows systems.

• In older releases of some UNIX operating systems, a maximum of 8 characters was the maximum number of characters allowed. However, on more modern day UNIX systems passwords length is based upon the available algorithm (MD5, Blowfish, etc) residing on the systems. This gives the added benefit of maximizing the password length to 255 characters on some systems.

• Users should never share their passwords nor keep written passwords in an easily-accessible place (e.g. under a keyboard, on the computer monitor).

• Passwords should be difficult to guess and include uppercase, lowercase, special (e.g., punctuation and extended character set), and numeric characters. They should not include dictionary words or names.

• Users should not transmit passwords in cleartext (e.g. via Telnet or FTP)

• System administrators should crack passwords monthly to identify problems with weak passwords and to determine if the password policy is being followed. Password-guessing programs (e.g. “John the Ripper,’’ “L0phtCrack,” and “Crack”) identify those users having easily guessed passwords. Because password cracking programs are very CPU intensive and can slow down the system on which it is running, it is a good idea to transfer the encrypted passwords (the dumped SAM database for Windows and the /etc/passwd and /etc/shadow files in UNIX) to a stand-alone (not networked) system. Also, by doing the work on a non-networked machine, any results found will not be accessible by anyone unless they have physical access to that system. NOTE: Always obtain explicit and preferably written permission from the organization before running any password scanner/cracker.

• Passwords should be changed regularly (every 30 to 90 days). Set up password aging via Account Policy for Windows systems or the /etc/default/passwd file in SOLARIS. Some Linux releases use the ‘charge’ command to set up and modify the password aging requirements for users.