I have a question concerning password policies. I have read a lot of articles about using a passphrase versus a password as of late, and I was wondering what your take is on the use of passphrases and their function. In addition, others have made the point that if you use a passphrase of 15, 20 or 25 characters, then the passphrase will be impossible to crack.
Given this information, how do you feel about changing account lockout settings from five failed attempts to, say, 50 failed attempts and requiring the passphrase to be changed two times a year, rather than every 42 days. I realize that "42 is the answer to life, death and everything" according to some "scholars," but I would think that some settings could be relaxed, given that the passphrase is so very long.
When you get right down to it, the main advantage to passphrases is that they are easier to remember, and therefore you can ask users to use longer ones. We do know that longer passwords/passphrases are harder to crack. However, passphrases, even long passphrases that are composed of a combination of words, may be easier to crack in the future because people who write password crackers could write an algorithm that looked for combinations of words and crack one word at a time versus their one character at a time process now. In that case, it may be just as valid to use a random but shorter password.
Remember too that it is a combination of things that makes a password hard to crack. In the Windows world, most crackers are based on using the LAN Manager -- "LM" hash and then getting the "NTLM" hash. If you can eliminate the LM hash from the password database and from use during log on, you make the crackers work very hard. You can eliminate the LM hash by using passwords over 14 characters, by entering a registry entry for Windows 2000, or by using the security option "Do not store LAN Manager hash value on next password change" in Windows Server 2003 (this is the domain controller default policy).
So, best practice? Eliminate LM hashes and make minimum password size nine characters or more -- encourage larger. Require complexity. Teach how to make more memorable passwords -- use passphrases, if you choose, but add complexity (make "Santa Claus is coming to town" "S@nta C1ause is c0ming to t0wn" or some like that). Just remember, as you increase your understanding of security and make things more secure, those who could attack your systems are becoming more sophisticated as well. You cannot expect today's solution to protect you in the future.
In response to your question about changing account lockout settings, I would never set account lockout at five failed attempts. It's just too easy for someone to fumble finger their way into locking themselves out. Set it at at least 25 -- 50 is okay -- and monitor! Ensure that you are auditing for logon failures and successes and monitor the event log for these as well as lockouts.
Second, the objective of resetting the password is to ensure that it is less likely that the password is known to people other than the user (he wrote it down somewhere and lost the paper ... whatever) or crackable (and all are eventually) before it is changed. So, at any rate, you may be able to foil the latter by using long passwords for a little while, eliminating the LM hash, but you cannot foil the former. People are forgetful, and they will always write down a password no matter the consequences (especially if it's long!) So I still recommend frequent changes, though you may evaluate the potential risk for yourself and decide that 42 days is to quick. I would say the twice a year is way too infrequent!
This was first published in November 2004