Talking Passwords

From MicroFocusInternationalWiki
Revision as of 17:51, 17 May 2005 by Mgoddard (Talk | contribs)

Jump to: navigation, search

Hi, I wanted to gauge people's opinion and current setups for password policies. At PepsiCo UK we are about to roll out universal passwords but to plagiarise other people’s ideas on passwords.

Our current policy is 6 characters, 42 days reset, no duplicates and 6 grace logins

Now we can be clever with advanced universal password rules we want to provide a better level of password security without creating more helpdesk calls due to over complex policies.

So we don’t want a 26 character, dictionary proof password with at least 7 forms of punctuation 3 capital letters and 5 digits that needs to change daily and never repeat, ever.

Nor do we want people to use cola as their password.

what is the best mix of security and complexity, what is your policy?

We want to use self service password resets, by getting users to answer a set of questions that can be used to reset all passwords within the meta-directory. However, most suggestions I’ve had are either; Obscure i.e. what did you have for lunch on January 12 1982 or Obvious i.e. what colour is your hair?

what are good questions to ask users, what you do you ask them?

Thanks in-advance

08:28, 13 May 2005 (MDT)


First of all, remember the old trade-off between user convenience and security. Typically the stronger the password, the less convenience to the user. So the user will modify their habits to make things convenient. For example, writing down their password and stick in under the keyboard.

Next, if you are trying to come up with a solid password management policy, get buy-in from senior managers first and then let the politics of the password pilyc flow down from the top. The 8th layer of the OSI model. If management doesn't support you, it's not going to do any good trying to enforce policy without a hammer behind the fist.

As far as challenge questions go, the question set should be simple but yet not something that other users know about the person - when the questions are presented as a set. For example, I would consider using this set:

What is your favorite color? (People's hair color changes - don't use)

What is your mother's maiden name?

What are the last 4 digits of your social security number?

This would be a solid challenge set for regular users who do not have sweeping access to directory/file systems. I would use a different set of challenge questions for network administrators and keep that under wraps just to deter social engineering.

Lastly, if you are creating a security/password policy from scratch, start with tight security and loosen later (rather than loose security and tighten later). Users scream when you take away something, but when you give them something they don't have they are your best friend.

Here's a good article:


--Mgoddard 11:51, 17 May 2005 (MDT)