Oh the dreaded ‘your password is about to expire’! How many of you absolutely hate it when the time comes for a forced password update and you are waiting until the very last second where it forces it upon you? Well this change is one that is for the better no matter how you slice it. For the two big operating systems, Linux and Unix (ok Windows too), there are password enforcement options for your environment. While I won’t go into how those get implemented in this article due to it being a generalized overview, it is simple enough to do an internet search on the implementation process.
Lets start with the credential management itself. Most commonly used would be the Active Directory infrastructure and one of the most important servers to protect. This server is mostly seen in the user realm of things for everyone to get logged in after having their morning coffee. Sure this server may seem like its only function is making sure passwords get changed every 90 days but securing this server is a big deal in the scope of your security best practices. In the event that this server were to be compromised, it may be possible for someone to inject their own administrative account into the domain. Guess what happens after that? The entire network is then at the mercy of the attacker. They no longer need anything special as they gave themselves administrative credentials to every server and every application that uses a centralized credential system. Now is this to say that we should not use a centralized credential system? Oh no no no. Without these important parts to the puzzle, IT admins would be going crazy with lost passwords and logins that may never exist in the first place. It just boils down to ensuring that your server is protected.
Now lets move on to the password complexity portion. I’m sure that you have encountered a password complexity requirement that adds on one more special character than your common password normally has. How do deal with it? Most people just add a ! at the end and call it a day. My suggestion on this one is to ensure you start off with an extremely secure password to begin with. Utilizing a password generator and manager is a little more than I want to go into at the moment but if you can generate some crazy passwords and still have security for easy access, I say go for it.
Well what about lockout and disabling of passwords in your environment? This is one item of concern that must be part of your password security policy. Some departments will cycle through employees quickly and some have rather long tenure. No matter the situation you absolutely need password lockout and expiration. If and when an employee leaves the company, that user can slip through the cracks of user removal. Or it could be that due to the employee's status at time of leave (legal issue), the user account is required to remain active so that information can be gathered as part of the legal process. By automatic lockout and password expiration, you prevent an old employee from removing items after they leave the company.
What it boils down to is putting up with the crap side of security. Inconvenience. Make sure that you have a password and account policy in place per best practices and it goes a long way for giving attackers one more hurdle to jump through if they compromise the network. Its all about the layers in security.