What is more important password expiration, complexity or something else?
February 21, 2008 — secauditorI was holding a conversation today about password expiration and I have decided it isn’t so much about the password strength or the time between password changes. Looking at it passwords are a primary method used to control access to resources. Because authenticated access is seldom logged, a compromised password is a way to explore a system without causing suspicion. An attacker with a compromised password can access any resource available to that user. So it really comes down to protecting the area that passwords are stored not.
A great example is using a password cracker like Ophcrack, you can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. Now granted it is using Rainbow tables, but ultimately if you your SAM file or /etc/passwd /etc/shadow files are compromised your pretty much history. Additionally, if you limit failed attempts with lock outs (or a limited time lockout) I think you are going to prevent the brute force attacks.
