145
Chapter 11:
Securing Your Network
how long their passwords must be, the complexity of the password (alphanumeric,
capital letters, or symbols), whether users can reuse previously used passwords, and
so forth. At a minimum, consider these suggestions for password policies:
Require users (through network password policy settings) to change
their main network password every 90 to 180 days. (Actually, 30 days
is a common recommendation, but this might be too frequent in most
environments.)
Set the reuse policy so that passwords cannot be reused for at least a year.
Require passwords that are at least eight characters long. For case-insensitive
passwords that do not allow special characters, this yields potentially 36
8
possible permutations, or almost 3 trillion possibilities. And if the network
operating system uses case-sensitive passwords, the possibilities are much
larger: 62
8
(218 trillion). For systems that allow special characters to be part of
the password (characters like a space, comma, period, asterisk, and so forth),
the number of possible combinations is even higher still.
NOTE
Even 2 billion possible combinations for passwords is a lot. If crackers were able to try one
password a second, they would need to spend 63 years to try that many permutations. Or, with an
optimized program that can try 5 million possibilities a second, it would take about a year to crack
an eight-character mixed-case password using brute force.
Encourage users to create passwords that are not words in any language or, if
they are words, that they have numbers and other nonalphanumeric characters
inserted somewhere in the word, so a "dictionary attack" won't easily work.
(Many password-cracking programs rely on dictionaries of common words
and names to reduce dramatically the number of possibilities they need to try.)
Also, for networks that support mixed-case passwords, encourage users to use
mixed-case characters.
Make sure that you turn on any policies that monitor for and deal with
people entering in wrong passwords. Often called intruder detection, this type
of policy watches for incorrect password attempts. If too many attempts
occur within a set period of time, the system can lock out the user account,
preventing further attempts. I usually set this type of feature to lock an
account any time five incorrect passwords are entered within an hour, and
then lock the account until it's reset by the administrator. This way, if users
enter a large number of incorrect passwords, they will need to talk with the
administrator to reopen the account. Usually, this occurs when users forgot
their passwords, but someone else may be trying to guess passwords, so it
deserves to be examined.