|
Sirotan posted:I'm in the process of revamping a bunch of security policies for my org, including rolling out 2FA and changing password guidelines. I'm considering removing our requirement of forcing a password change every 90 days, as per the latest NIST recommendations. I'm curious how many other people have non-expiring passwords for their users and whether this is a good/terrible idea. With 2FA it's fine. And honestly, if you want to spur the adoption of 2FA, make the forced change that much more frequent for people who DON'T want to use 2FA. I make that semi-jokingly, knowing that I'd never see the fallout other than having to hide forever from the Helpdesk.
|
#
?
Feb 18, 2017 16:58
|
|
|
|
| # ? Jun 7, 2024 09:13 |
|
|
flosofl posted:With 2FA it's fine. Yeah the thing is, we'd likely only be able to force 2FA on anyone using VPN or attempting to change their credentials remotely. I'm 99.5% sure I'd never be able to get buy-in/money for 2FA for internal only users.
|
|
#
?
Feb 18, 2017 17:00
|
|
|
With 2FA it seems like a liability since you're getting into "welp I'll just put it on a sticky note on the monitor" or "increment digit at the end" territory. Without 2FA I'd reckon every 90 days is a decent compromise.
|
|
#
?
Feb 18, 2017 17:00
|
|
|
Sheep posted:With 2FA it seems like a liability since you're getting into "welp I'll just put it on a sticky note on the monitor" or "increment digit at the end" territory. We already have a 90 day expiration, what I am considering is getting rid of that and having passwords not expire. I feel like without the expiration period they are LESS likely to write them down somewhere since they're not having to remember something new every 3 months. I'm really not sure how a 90 day expiration is inherently more secure than no expiration, to be honest. I'm still feeling it out. What I am thinking right now is making our password guidelines match the new NIST recommendations, meaning: -Length minimum would go from 8 to 12 -Restrict passwords based on dictionary of X number of known words (not sure how to implement this yet) -No other restrictions on format (get rid of the pick 3 of the 4 of lowercase/uppercase/number/symbol BS) -2FA required for any access outside our physical locations Pros: -Less calls to the helpdesk from the people who cannot be assed to change their password in the 2 weeks leading up to their expiration date, or forgot to update it in our VPN client, or who get on-call rotation laptops and don't authenticate on the device until they bring it home -People will be less likely to write down a password they've had more time to remember????? (this might be a huge assumption on my part) -New policy is more user friendly Cons: -Potentially compromised accounts won't expire automatically? -IT needs to change it's policy for handling accounts for vendors/interns/contractors, and will also need to have a policy to deal with potentially inactive accounts vs just knowing they will expire in 90 days -?????????? Is "this will make less work for the helpdesk" a bad reason to want to change password guidelines?
|
|
#
?
Feb 18, 2017 17:36
|
|
|
Just install tongueprint scanners at every workstation.
|
|
#
?
Feb 18, 2017 18:33
|
|
|
Sirotan posted:We already have a 90 day expiration, what I am considering is getting rid of that and having passwords not expire. I feel like without the expiration period they are LESS likely to write them down somewhere since they're not having to remember something new every 3 months. I'm really not sure how a 90 day expiration is inherently more secure than no expiration, to be honest. I'm still feeling it out. There's an easy procedural way to deal with the laptop rotation. Just make the users have to authenticate on the laptop as part of the pickup procedure.
|
|
#
?
Feb 18, 2017 18:49
|
|
|
Sirotan posted:We already have a 90 day expiration, what I am considering is getting rid of that and having passwords not expire. I feel like without the expiration period they are LESS likely to write them down somewhere since they're not having to remember something new every 3 months. I'm really not sure how a 90 day expiration is inherently more secure than no expiration, to be honest. I'm still feeling it out. As far as the special restrictions, you'd need to install one of the third party password filters, since AD flat out doesn't do anything about that (Microsoft is supposedly hinting it will, but at this point that would be Server two-thousand....next and who knows). I'd looked into a few of them a while back - Anixis and nFront seemed to be the two best choices, and I'd decided on Anixis, but then the client dragged their feet so I never installed it, i.e. can't help you with actual experience on that. My philosophy has always been that I'd prefer they had longer passwords that changed less often, simply because theoretically people are more likely to be amenable to longer passwords that way, and if you make them change every month they're just going to add a 1, 2, 3, 4 etc to the end of the previous password. (I think Anixis can also block this kind of thing by requiring the new password be different by x number of characters during the password change). True, they'll probably do that anyway even with changing it every 6 months or whatever, but for me it's always about trying to get as much buy-in as possible. Granted, that's also because I'm at an MSP so we can never be the voice of authority requiring security or else, but I don't think changing passwords every 30 days really enhances security all that much considering the human factor involved. The other piece of this is enabling SSO everywhere for everything period the end. As far as I'm concerned it's a goddamn requirement up there with having a firewall. Not just for user convenience and added buy-in that they don't have multiple passwords to remember/write down on post-its, but also for centralization of security and management - disable a departing user one place and their access is blocked to all company resources. This is still a difficult requirement sometimes because a lot of butt services either don't know how to SSO or charge a shitload for the privilege DOCUSIGN YOU MOTHERFUCKERS. But not doing SSO always seems to cause headaches down the line and can really bite you in the rear end if a helpdesk person forgets to disable someone's access to some service that isn't SSO'd.
|
|
#
?
Feb 18, 2017 20:23
|
|
|
Sirotan posted:I'm curious how many other people have non-expiring passwords for their users and whether this is a good/terrible idea.
|
|
#
?
Feb 19, 2017 00:41
|
|
|
Super Slash posted:[...]the only other user to have a non-expire is the managing director; but it's his company he can do whatever the gently caress he wants. Boy do I know that feeling. I've come to the sad conclusion that at the end of the day you can only advise your higher-ups to the best of your ability; it's up to them to accept it or reject it.
|
|
#
?
Feb 19, 2017 05:20
|
|
|
With 2fa, the usual password rules don't matter anymore. And password expiration is for breach mitigation, not security as it effectively reduces security.
|
|
#
?
Feb 19, 2017 05:32
|
|
|
duz posted:With 2fa, the usual password rules don't matter anymore. And password expiration is for breach mitigation, not security as it effectively reduces security. This. IIRC, the "rotate every 3 months" advice comes from a back of the envelope calculation from decades ago on how long it would take to brute force passwords if the hashes were stolen.
|
|
#
?
Feb 19, 2017 16:29
|
|
|
Today on new and exciting causes of service outages: http://www.nydailynews.com/news/national/small-plane-crashes-street-bayonne-n-article-1.2976636 I thought I've seen everything but a plane crash is a new one to me.
|
|
#
?
Feb 19, 2017 18:06
|
|
|
To be entirely unfair, a pair of plane crashes destroyed a good portion of the Microwave point to point infrastructure in downtown Manhattan some 15+ years ago
|
|
#
?
Feb 20, 2017 02:18
|
|
|
Too soon.
|
|
#
?
Feb 20, 2017 02:27
|
|
|
QuiteEasilyDone posted:To be entirely unfair, a pair of plane crashes destroyed a good portion of the Microwave point to point infrastructure in downtown Manhattan some 15+ years ago   we forgot
|
|
#
?
Feb 20, 2017 03:28
|
|
|
Renegret posted:Today on new and exciting causes of service outages: RE: A ticket came in: "Let me do my job, okay?" he said before hanging up
|
|
#
?
Feb 20, 2017 09:31
|
|
|
QuiteEasilyDone posted:To be entirely unfair, a pair of plane crashes destroyed a good portion of the Microwave point to point infrastructure in downtown Manhattan some 15+ years ago Remedy doesn't go back that far for us  if there's no ticket it never happened
|
|
#
?
Feb 20, 2017 12:59
|
|
|
Renegret posted:Today on new and exciting causes of service outages: I've always chuckled when I see risk docs that go out of their way to mention things like air traffic incidents or severe enough flooding to cause server room damage (etc) But now I suppose extremely unlikely is more accurate than never
|
|
#
?
Feb 20, 2017 16:08
|
|
|
Virigoth posted:
|
|
#
?
Feb 20, 2017 19:22
|
|
|
I reeeeeeeeeally want to do some sort of biometrics because fingerprint scanners are becoming pretty common on business-grade laptops these days. Then I remember how many drive-bys we get like "My phone restarted and now it's asking me for my passcode to unlock. I can't remember it because I always use my thumbprint. Can you unlock?"
|
|
#
?
Feb 21, 2017 15:03
|
|
|
angry armadillo posted:I've always chuckled when I see risk docs that go out of their way to mention things like air traffic incidents or severe enough flooding to cause server room damage (etc) Risk mitigation addendum: If the cause of the outage involved hospitalizations or fatalities, gently caress it, go home.
|
|
#
?
Feb 21, 2017 20:53
|
|
|
vas0line posted:I reeeeeeeeeally want to do some sort of biometrics because fingerprint scanners are becoming pretty common on business-grade laptops these days. Then I remember how many drive-bys we get like "My phone restarted and now it's asking me for my passcode to unlock. I can't remember it because I always use my thumbprint. Can you unlock?" I was really excited to be getting a phone with a fingerprint reader until I actually got it and found out it forces you to put in a code every so often regardless, thus defeating the time-saving purpose of having a fingerprint reader in a spot you'd normally grab the thing. Way to almost implement a good idea!
|
|
#
?
Feb 21, 2017 20:59
|
|
|
Javid posted:I was really excited to be getting a phone with a fingerprint reader until I actually got it and found out it forces you to put in a code every so often regardless, thus defeating the time-saving purpose of having a fingerprint reader in a spot you'd normally grab the thing. Way to almost implement a good idea! 
|
|
#
?
Feb 21, 2017 21:14
|
|
|
Javid posted:I was really excited to be getting a phone with a fingerprint reader until I actually got it and found out it forces you to put in a code every so often regardless, thus defeating the time-saving purpose of having a fingerprint reader in a spot you'd normally grab the thing. Way to almost implement a good idea!
|
|
#
?
Feb 21, 2017 22:10
|
|
|
|
|
#
?
Feb 21, 2017 22:16
|
|
|
Javid posted:I was really excited to be getting a phone with a fingerprint reader until I actually got it and found out it forces you to put in a code every so often regardless, thus defeating the time-saving purpose of having a fingerprint reader in a spot you'd normally grab the thing. Way to almost implement a good idea! This limits access in case the thief goes with the expedient of cutting off your finger. Defense in depth and all that.
|
|
#
?
Feb 21, 2017 22:31
|
|
|
baquerd posted:This limits access in case the thief goes with the expedient of cutting off your finger. Defense in depth and all that. If the dude wants to go through the trouble of cutting off my finger to get into my phone? Go ahead buddy, gently caress, I'll unlock it without you cutting off my finger and then walk away like nothing happened.
|
|
#
?
Feb 21, 2017 22:48
|
|
|
They don't need your actual finger to defeat a fingerprint scanner. FWIW I have a Nexus 5X with a fingerprint scanner, it only requires the PIN once after powering on.
|
|
#
?
Feb 21, 2017 23:14
|
|
|
That's one more time than is acceptable when using an unlock method other than "pin"
|
|
#
?
Feb 21, 2017 23:18
|
|
|
thebigcow posted:They don't need your actual finger to defeat a fingerprint scanner. ME too. I rarely ever reboot my phone but I'm worried this 7.1.2 update will suddenly cause the bootlooping thing I read about 
|
|
#
?
Feb 21, 2017 23:31
|
|
|
A client is complaining that they're not getting fast enough speeds to their offsite replica and their IT team swears the connection is gigabit. We run a whole battery of tests, removing the NFS share and our backup application from the mix and showing speeds of around ~360 mbps just from client to client over the WAN connection. They were also complaining of the replication slowing down their house network but I'm pretty sure that was a routing issue that was sorted out. After some considering of the obviously less than gigabit speeds I decided to run a few internet speed tests just to verify their connection is gigabit (I'm assuming their house outbound and WAN outbound are going over the same pipe). The results I come up with are defiantly not gigabit...more in line with the speeds I was seeing during the tests. Well that would explain the "slow speeds" Shot off a nice e-mail to their IT team explaining the findings and implying that, yet again, it's not our equipment please stop blaming stuff on it. Or someone doesn't understand bits vs bytes.
|
|
#
?
Feb 21, 2017 23:58
|
|
|
Javid posted:I was really excited to be getting a phone with a fingerprint reader until I actually got it and found out it forces you to put in a code every so often regardless, thus defeating the time-saving purpose of having a fingerprint reader in a spot you'd normally grab the thing. Way to almost implement a good idea! First of all, don't use a fingerprint reader if you really do care about your data. They can be thwarted and there is nothing protecting you legally should your phone be seized. Second of all... 
|
|
#
?
Feb 22, 2017 00:16
|
|
|
Fingerprints and other biometrics should only be used as a second factor imo.
|
|
#
?
Feb 22, 2017 00:17
|
|
|
Javid posted:I was really excited to be getting a phone with a fingerprint reader until I actually got it and found out it forces you to put in a code every so often regardless, thus defeating the time-saving purpose of having a fingerprint reader in a spot you'd normally grab the thing. Way to almost implement a good idea! 
|
|
#
?
Feb 22, 2017 01:10
|
|
|
Dr. Arbitrary posted:Just install tongueprint scanners at every workstation. "This tongue is expired, boy!"
|
|
#
?
Feb 22, 2017 01:29
|
|
|
|
|
#
?
Feb 22, 2017 01:59
|
|
|
Zamboni Apocalypse posted:"This tongue is expired, boy!" "This tongue does not meet acceptable minimum length requirements". It's either a security protocol or what your mom said HEYOHHHHHHH
|
|
#
?
Feb 22, 2017 02:25
|
|
|
Javid posted:I was really excited to be getting a phone with a fingerprint reader until I actually got it and found out it forces you to put in a code every so often regardless, thus defeating the time-saving purpose of having a fingerprint reader in a spot you'd normally grab the thing. Way to almost implement a good idea! Yeah this was done on purpose. I didn't think I'd have to explain why.thebigcow posted:FWIW I have a Nexus 5X with a fingerprint scanner, it only requires the PIN once after powering on. This is not correct. It requires it periodically as well.
|
|
#
?
Feb 22, 2017 02:27
|
|
|
So why then? The entire point of the reader, as far as the user is concerned, is that it's a locking method that requires no extra time or remembering of passwords, but that still keeps other people out to the extent that it matters. If I have to type in a code, I may as well just not use the fingerprint reader, or not lock it at all. I don't have nuclear codes or company info on my personal phone, so who cares? I feel like security people tend to forget an actual human with work to do has to deal with the poo poo they put out.
|
|
#
?
Feb 22, 2017 04:22
|
|
|
|
| # ? Jun 7, 2024 09:13 |
|
|
apseudonym posted:This is not correct. It requires it periodically as well. Nope. I have both a 5x and a xperia x compact and the only time they require pin or graphical password is after powering on or failing the fingerprint unlock a ton of times.
|
|
#
?
Feb 22, 2017 04:32
|
|