12

I have a bad habit of rarely changing the administrator password in my domain. The passwords I do use are pretty good but I want to be more consistent on this.

What do you think is a good frequency? Every 6 months perhaps?

Malnizzle
  • 1,441
  • 2
  • 16
  • 30
user24555
  • 121
  • 1
  • 4
  • 90-days is a good general best-practice for changing passwords. – Warner Mar 25 '10 at 17:48
  • Under unix you can use a tool like sudo which means certain users can be granted root priveledges for a short time. They don't need to know the root password. In fact, you can get away with not having one set or ever knowing it. In this case you don't need to change it. Users will need to change their own passwords though. – hookenz Mar 25 '10 at 19:54
  • Oh god, after reading all these posts, I know for a fact that there's one domain that I work in sometimes (of which I'm not the sysadmin, but have an admin account) where the `administrator` password has been the same for 7 years, and it's only 8 characters long. Maybe I'll send them an email... – Mark Henderson Mar 25 '10 at 23:01

6 Answers6

9

Let's do a quick calculation (and forget best practices for a moment):

Assume a timeframe of six months for an attacker to hack your system. Let's also assume, that passwords are randomly chosen from a character set of size 62.

Scenario 1: You use a 9 character password for the entire six months.

Scenario 2: You use a 9 character password for the first three months, and a different 9 character password for the remaining three monts.

Scenario 3: You use a 10 character password for the entire six months.

In Scenario 1, a brute force attacker hacks your account with 100% certainty, if he can do 62^9 attempts in that time.

In Scenario 2, if he can do only (62^9)/2 attemps in half the time (three months), he'll hack the account with 50% certainty. In the second half, he'll get another chance with 50% certainty. So statistically, he'll hack the account with 75% certainty.

In Scenario 3, he'll have 62^9 attempts for the entire six months. But there are 62^10 possibilities. So he'll hack the account only with 1/62 certainty, that's about 1.6%.

So if we leave all other factors out (like stolen passwords and other kinds of attacks), the recommendation would be to rather choose longer passwords than using shorter (or simpler) passwords, even if they're changed more often. Especially, because in Scenario 3, there are only 10 characters to remember, while in Scenario 2, it's 18 characters.

Chris Lercher
  • 4,152
  • 9
  • 35
  • 41
  • 2
    +1, Use very long passwords. Nobody is actually going to crack a 18+ character password in 6 months. If they really want your data that bad, they'd just break in and steal the server. – Chris S Mar 25 '10 at 18:52
  • Love this, well put. With passwords...size matters. – Kara Marfia Mar 25 '10 at 22:34
  • So a good long password should do well for quite a long time then. I think I'll just use a good password and do a 12 month cycle. This will give me a good opportunity to document everything that's going to break (unfortunately). Edit: By good I mean 16+ characters. I like to use sentences that include punctuation and spaces and all. – user24555 Mar 26 '10 at 02:15
  • I always giggle when someone talks about brute-forcing a password. It aint gonna happen. Period. Only the NSA (or equivalent) or organized crime can to that, in which case you have much bigger problems that cannot be solved with a good password anyway. – Dan Andreatta Mar 26 '10 at 10:51
  • Adding to the previous comment, I did a quick math, and it would take about 1 day to crack a 6 char password with a modern desktop, which leads to 10 years for a 8 char passwords. The performance for encryption if from openssl speed test. – Dan Andreatta Mar 26 '10 at 11:02
  • @Dan: Thanks for pointing this out. I fully agree, that brute forcing an account becomes quite theoretical even for an 8 char password. However, it's not too hard to modify my calculation, and find out, that the result is essentially very similar, when we're talking about the much more prevalent dictionary attacks: The reason is, that the number of possibilities still grows exponentially with the number of words, when the password combines multiple, unrelated(!) words. – Chris Lercher Mar 26 '10 at 13:10
  • Maybe I should add a word of caution: Passwords must be a lot longer, when using a combination of words. – Chris Lercher Mar 26 '10 at 13:23
  • @chris_l: I was a assuming a good password, of course. A password in a dictionary can be cracked by good ole john in a few seconds. – Dan Andreatta Mar 26 '10 at 13:33
2

We're mostly windows, and each of the admins has their own domain admin account, and we just trust one another to have strong passwords and to change them every now and then. I'm sure everyone has strong passwords because we use peer-pressure to ensure they're long and have numbers and/or characters in them, but we don't change them often enough.\

ADDED: By now, most people have probably heard this, but just in case. Encryption and security expert Bruce Schneier says you should have strong passwords and write them down.

Ward - Trying Codidact
  • 12,899
  • 28
  • 46
  • 59
  • How does that peer pressure work? Can people see each other's passwords? – Bill Weiss Mar 25 '10 at 18:00
  • 2
    From my experience no user can be trusted to change their password on their own, even IT staff. – ITGuy24 Mar 25 '10 at 18:01
  • @Bill: there are just 3 of us, and we've worked together a long time, so peer pressure is along the lines of "I didn't see you type any numbers just then..." – Ward - Trying Codidact Mar 25 '10 at 18:19
  • That doesn't scale very well :) Also, getting in the habit of watching people type their admin passwords won't go well if you go to other sites very often. – Bill Weiss Mar 25 '10 at 20:18
  • What about having something like a "swear jar"? If another admin can manage to break your password (using something like ophcrack), you have to put $5 in the pot. – Nic Mar 26 '10 at 05:23
1

Although it would theoretically be much better to change passwords frequently, the let's-write-that-down-on-a-post-it-factor increases exponentially as the validity period gets shorter.

If this is for private use only, why not use public key authentication and have just a good PW for your keyring?

Alexander T
  • 287
  • 1
  • 8
1

Are you actually talking about the Administrator account for the domain (SID: S-1-5-21domain-500), or are you talking about the administrator account you created for yourself so you can get useful logs about who does what?

I generally will set up the Administrator account to have a long (20+ character password) and store the password in a safe location and never use that account. I generally only change that password every year or so. Our network also has lockout systems and such which should prevent any remote brute force attacks from ever being very effective. Since I never use the password for day-to-day tasks the likely hood of it being intercepted is nearly non-existent.

If you are talking about my personal account that I granted admin privileges to I tend to change it about every 6 months. I also tend to use key-based authentication whenever possible so that my password is very rarely transmitted anywhere. I also don't generally work with what I think most people would consider to be high-risk systems.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • I'm talking about the domain admin. My own account is not a part of the domain admin group. I think that it would be a good practice to stop using the original domain admin and make a secondary domain admin with a different username. – user24555 Mar 26 '10 at 02:45
0

No matter how complex passwords you may be setting. It's always a good practice to change your password every 30 to 42 days. 6 months is way too old password. There should always be a good password policy implemented to stay safe and secure :-)

Vivek Kumbhar
  • 3,073
  • 1
  • 18
  • 13
  • 4
    Where do you come up with "30 to 42 days" ? – Bill Weiss Mar 25 '10 at 17:59
  • It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42. Not my words, taking it from "Best Practices" – Vivek Kumbhar Mar 25 '10 at 18:17
  • 1
    How about giving us a link to a document or reference where this is stated instead of just repeating that it is a 'best practice'. I generally refuse to consider something to be a best practice unless it is published in a reliable source. – Zoredache Mar 25 '10 at 19:37
  • 1
    sure.. glad you asked http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx – Vivek Kumbhar Mar 25 '10 at 20:05
  • My browser's search tool must be broken. I don't see a "42" in there. – Bill Weiss Mar 25 '10 at 20:15
  • this is on my Win 7 and if i can find the Best Practice document i will put it here as well for everybody's benefit which says the default value is 42. http://img522.imageshack.us/img522/4199/90231301.jpg and check this out as well http://www.itechtalk.com/thread3523.html – Vivek Kumbhar Mar 25 '10 at 20:35
  • http://technet.microsoft.com/en-us/library/cc736566(WS.10).aspx – Vivek Kumbhar Mar 25 '10 at 20:43
  • It is interesting that you reference that link and say 30-42 days when the Note section explicitly mentions 30-90 days. IMHO some developer at Microsoft choosing 42 days as a default does not automatically mean that 42 days is the upper bound or the 'best practice'. – Zoredache Mar 25 '10 at 23:40
  • Not really.. what i meant is 6 months is too long a time your Maximum Password Age should be somewhere between 30 to 90 days. Though the Local Security Policy suggests you configure it for 42 days. Does not really mean Microsoft want you to set it to 42 days. – Vivek Kumbhar Mar 25 '10 at 23:51
-1

I normally only reset root passwords after a staff member has left... but encourage users with sudo access to change theirs every 90 days.

Philip
  • 131
  • 6