Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
General
Off-Topic
Security: Need help with statement, password should be complex to xxxxx standards?
Queue
Hello,
I have received a request from our security team to create accounts using "password should be complex to "x" standards."
Would you take this as make it our standard reset password, or to make it more complex than our standard reset password and for it to be different?
Password will be set to never expire so this will be the password for duration of the account.
This is just a quick question if any can provide guidance as it is after hours here at the moment.
Thanks
Find more posts tagged with
Comments
TheFORCE
Usually when you receive a request like that it means that someone has identified a lack of control in your password policy or that your password policy even though it might exist no one is following it correctly. Meaning, you have a policy that specifically calls for passwords to be complex but the Helpdesk for some reason rests the passwords to simple passwords. Someone from your security team picked on this and now they are telling you that passwords need to follow the policy and not whatever everyone on the Helpdesk wants.
kiki162
Unless you are subject to compliance requirements I'd revise that statement. Say something like "passwords will be complex using x characters"
Queue
In Active Directory we have a minimum length requirement, password history, and password complexity. If resetting a users AD password we use the same password and have "User must change password at next logon" checked. These specific accounts for vendors will have the password set to never expire, thus not able to change at next logon. Would a security administrator expect me to use our go to standard for password resets or to make a unique password for these few accounts that follows our policy?
jeremywatts2005
I believe your answers lies in this article
Complex password compliance requirements made simple
Queue
I was able to get in touch through email and provided an answer. Thank you all for the help. The answer was for me to randomly generate passwords per our policy.
TheFORCE
Never use the same password when resetting accounts and never set password never expires for vendor accounts. You are asking for a finding with that statement. Only service accounts should have password never expire and even those accounts should be changed periodically.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
