Password Policy

I have a network that I have to upgrade their password policy. I am aware of
best practice and how it says I should do it, however the users in the
network are terrified of change. I was just wondering if anyone has been in
this situation and had any suggestions in how to proceed.

 

Eric wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I have a network that I have to upgrade their password policy. I am aware of
> best practice and how it says I should do it, however the users in the
> network are terrified of change. I was just wondering if anyone has been in
> this situation and had any suggestions in how to proceed.<!--colorc--><!--/colorc-->

Hello Eric:

What is bringing about the policy change? You alone? Your suggestion
to management? Management alone? Other? Please detail the type of
practices do you intend to implement.

How many user accounts are involved? Is management in the habit of
putting their policy changes out in writing? Are you an employee of
the network owner or an outside contractor?

Is the network part of a small, medium, large company? Corporation?
Local, state, federal government?

Pete
--
1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]

 

So, are they terrified that they'll need to learn a new password?

"Eric" <Eric@discussions.microsoft.com> wrote in message
news:9A290952-A6B2-4CEA-89EF-3517C7FCD3F2@microsoft.com...
:I have a network that I have to upgrade their password policy. I am aware
of
: best practice and how it says I should do it, however the users in the
: network are terrified of change. I was just wondering if anyone has been
in
: this situation and had any suggestions in how to proceed.

 

I suspect they're terrified that they'll have to meet complexity rules and
change their passwords more often.
--
Phil Wilson
The Definitive Guide to Windows Installer



"Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
news:uCsR4CgGKHA.4432@TK2MSFTNGP05.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> So, are they terrified that they'll need to learn a new password?
>
> "Eric" <Eric@discussions.microsoft.com> wrote in message
> news:9A290952-A6B2-4CEA-89EF-3517C7FCD3F2@microsoft.com...
> :I have a network that I have to upgrade their password policy. I am
> aware
> of
> : best practice and how it says I should do it, however the users in the
> : network are terrified of change. I was just wondering if anyone has
> been
> in
> : this situation and had any suggestions in how to proceed.
>
> <!--colorc--><!--/colorc-->

 

Oh, goodness. That would be awful.


"Wilson, Phil" <philw@wonderware.nospam.com> wrote in message
news:A7483C23-B4FC-44FA-84F8-29C08E1991B0@microsoft.com...
:I suspect they're terrified that they'll have to meet complexity rules and
: change their passwords more often.
: --
: Phil Wilson
: The Definitive Guide to Windows Installer
:
:
:
: "Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
: news:uCsR4CgGKHA.4432@TK2MSFTNGP05.phx.gbl...
: > So, are they terrified that they'll need to learn a new password?
: >
: > "Eric" <Eric@discussions.microsoft.com> wrote in message
: > news:9A290952-A6B2-4CEA-89EF-3517C7FCD3F2@microsoft.com...
: > :I have a network that I have to upgrade their password policy. I am
: > aware
: > of
: > : best practice and how it says I should do it, however the users in the
: > : network are terrified of change. I was just wondering if anyone has
: > been
: > in
: > : this situation and had any suggestions in how to proceed.
: >
: >
:

 

Probably just a longer 'password history' list and they have run out of
pet's names.

"Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
news:%23LzH6ErGKHA.3428@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Oh, goodness. That would be awful.
>
>
> "Wilson, Phil" <philw@wonderware.nospam.com> wrote in message
> news:A7483C23-B4FC-44FA-84F8-29C08E1991B0@microsoft.com...
> :I suspect they're terrified that they'll have to meet complexity
> rules and
> : change their passwords more often.
> : --
> : Phil Wilson
> : The Definitive Guide to Windows Installer
> :
> :
> :
> : "Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
> : news:uCsR4CgGKHA.4432@TK2MSFTNGP05.phx.gbl...
> : > So, are they terrified that they'll need to learn a new password?
> : >
> : > "Eric" <Eric@discussions.microsoft.com> wrote in message
> : > news:9A290952-A6B2-4CEA-89EF-3517C7FCD3F2@microsoft.com...
> : > :I have a network that I have to upgrade their password policy. I
> am
> : > aware
> : > of
> : > : best practice and how it says I should do it, however the users
> in the
> : > : network are terrified of change. I was just wondering if anyone
> has
> : > been
> : > in
> : > : this situation and had any suggestions in how to proceed.
> : >
> : >
> :
>
> <!--colorc--><!--/colorc-->

 

Well, they could always use birth dates.

"FromTheRafters" <erratic @nomail.afraid.org> wrote in message
news:eSWMHorGKHA.4732@TK2MSFTNGP04.phx.gbl...
: Probably just a longer 'password history' list and they have run out of
: pet's names.
:
: "Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
: news:%23LzH6ErGKHA.3428@TK2MSFTNGP04.phx.gbl...
: > Oh, goodness. That would be awful.
: >
: >
: > "Wilson, Phil" <philw@wonderware.nospam.com> wrote in message
: > news:A7483C23-B4FC-44FA-84F8-29C08E1991B0@microsoft.com...
: > :I suspect they're terrified that they'll have to meet complexity
: > rules and
: > : change their passwords more often.
: > : --
: > : Phil Wilson
: > : The Definitive Guide to Windows Installer
: > :
: > :
: > :
: > : "Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
: > : news:uCsR4CgGKHA.4432@TK2MSFTNGP05.phx.gbl...
: > : > So, are they terrified that they'll need to learn a new password?
: > : >
: > : > "Eric" <Eric@discussions.microsoft.com> wrote in message
: > : > news:9A290952-A6B2-4CEA-89EF-3517C7FCD3F2@microsoft.com...
: > : > :I have a network that I have to upgrade their password policy. I
: > am
: > : > aware
: > : > of
: > : > : best practice and how it says I should do it, however the users
: > in the
: > : > : network are terrified of change. I was just wondering if anyone
: > has
: > : > been
: > : > in
: > : > : this situation and had any suggestions in how to proceed.
: > : >
: > : >
: > :
: >
: >
:
:

 

The best way to handle your users it to give them examples of ways they can
easily make a password and have it fit into the requirements. For example I
have the standard windows complex PW scheme enabled with a min of 6
characters. I don't even tell the users about being able to use special
characters because there head would explode. I tell them to get a name or
something with the 6 characters and alter the letters to a number. Names of
people or places work great because you would normally capitalize the first
letter anyway like:

Charl3s
B0st0n
Ju11ian

Even something as simple as this is going to be tough for some terrified
users. I had to sit with one user for 15 minutes once because no matter
what he typed he never met the criteria and half the time I could see by the
counts of the dots on the screen he was not typing the same amount of
characters for the confirming box as the first.

What probably brought the change is some Accounting weenie that knows
nothing about network security told him they would fail a SOX audit if they
did not make some complex password rulie and have it expire every 90 - 120
days.

I really get a kick out of the hipocracy of those accounting weenies telling
IT folk about what we should be requiring when every single financial
institution that passes out credit cards or ATM cards only requires a 4
numeric digit PIN that never expires.

When I was first told to make sure we enabled the complex requirement
instead of just the minimum character I knew it was going to be a big PITA.
I had to go from office to office for months and check for sticky pads on
monitors and under keyboard for the users passwords and then have to give
them the talk about how they can't do that. Eventually they do get use to
it.


"1PW" <barcrnahgjuvfgy@nby.pbz> wrote in message
news:h5puto$164$1@news.eternal-september.org...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Eric wrote:<!--coloro:green--><span style="color:green <!--/coloro-->
>> I have a network that I have to upgrade their password policy. I am
>> aware of
>> best practice and how it says I should do it, however the users in the
>> network are terrified of change. I was just wondering if anyone has been
>> in
>> this situation and had any suggestions in how to proceeed.<!--colorc--><!--/colorc-->
>
> Hello Eric:
>
> What is bringing about the policy change? You alone? Your suggestion
> to management? Management alone? Other? Please detail the type of
> practices do you intend to implement.
>
> How many user accounts are involved? Is management in the habit of
> putting their policy changes out in writing? Are you an employee of
> the network owner or an outside contractor?
>
> Is the network part of a small, medium, large company? Corporation?
> Local, state, federal government?
>
> Pete
> --
> 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
> <!--colorc--><!--/colorc-->

 

In our domain, we in IT decide the passwords and tell the users what they
are.

"Jordan" <nospam@here.com> wrote in message
news:eRxh0$7GKHA.4376@TK2MSFTNGP03.phx.gbl...
: The best way to handle your users it to give them examples of ways they
can
: easily make a password and have it fit into the requirements. For example
I
: have the standard windows complex PW scheme enabled with a min of 6
: characters. I don't even tell the users about being able to use special
: characters because there head would explode. I tell them to get a name or
: something with the 6 characters and alter the letters to a number. Names
of
: people or places work great because you would normally capitalize the
first
: letter anyway like:
:
: Charl3s
: B0st0n
: Ju11ian
:
: Even something as simple as this is going to be tough for some terrified
: users. I had to sit with one user for 15 minutes once because no matter
: what he typed he never met the criteria and half the time I could see by
the
: counts of the dots on the screen he was not typing the same amount of
: characters for the confirming box as the first.
:
: What probably brought the change is some Accounting weenie that knows
: nothing about network security told him they would fail a SOX audit if
they
: did not make some complex password rulie and have it expire every 90 - 120
: days.
:
: I really get a kick out of the hipocracy of those accounting weenies
telling
: IT folk about what we should be requiring when every single financial
: institution that passes out credit cards or ATM cards only requires a 4
: numeric digit PIN that never expires.
:
: When I was first told to make sure we enabled the complex requirement
: instead of just the minimum character I knew it was going to be a big
PITA.
: I had to go from office to office for months and check for sticky pads on
: monitors and under keyboard for the users passwords and then have to give
: them the talk about how they can't do that. Eventually they do get use to
: it.
:
:
: "1PW" <barcrnahgjuvfgy@nby.pbz> wrote in message
: news:h5puto$164$1@news.eternal-september.org...
: > Eric wrote:
: >> I have a network that I have to upgrade their password policy. I am
: >> aware of
: >> best practice and how it says I should do it, however the users in the
: >> network are terrified of change. I was just wondering if anyone has
been
: >> in
: >> this situation and had any suggestions in how to proceeed.
: >
: > Hello Eric:
: >
: > What is bringing about the policy change? You alone? Your suggestion
: > to management? Management alone? Other? Please detail the type of
: > practices do you intend to implement.
: >
: > How many user accounts are involved? Is management in the habit of
: > putting their policy changes out in writing? Are you an employee of
: > the network owner or an outside contractor?
: >
: > Is the network part of a small, medium, large company? Corporation?
: > Local, state, federal government?
: >
: > Pete
: > --
: > 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
: >
:
:
:

 

That would take a lot of frustration out of the task, but when we assign the
passwords to the users they can claim it was not them if there is any issue
because we know their password too.


"Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
news:%23Jt8ZVBHKHA.4436@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> In our domain, we in IT decide the passwords and tell the users what they
> are.
>
> "Jordan" <nospam@here.com> wrote in message
> news:eRxh0$7GKHA.4376@TK2MSFTNGP03.phx.gbl...
> : The best way to handle your users it to give them examples of ways they
> can
> : easily make a password and have it fit into the requirements. For
> example
> I
> : have the standard windows complex PW scheme enabled with a min of 6
> : characters. I don't even tell the users about being able to use
> specialb
> : characters because there head would explode. I tell them to get a name
> or
> : something with the 6 characters and alter the letters to a number.
> Names
> of
> : people or places work great because you would normally capitalize the
> first
> : letter anyway like:
> :
> : Charl3s
> : B0st0n
> : Ju11ian
> :
> : Even something as simple as this is going to be tough for some terrified
> : users. I had to sit with one user for 15 minutes once because no matter
> : what he typed he never met the criteria and half the time I could see by
> the
> : counts of the dots on the screen he was not typing the same amount of
> : characters for the confirming box as the first.
> :
> : What probably brought the change is some Accounting weenie that knows
> : nothing about network security told him they would fail a SOX audit if
> they
> : did not make some complex password rulie and have it expire every 90 -
> 120
> : days.
> :
> : I really get a kick out of the hipocracy of those accounting weenies
> telling
> : IT folk about what we should be requiring when every single financial
> : institution that passes out credit cards or ATM cards only requires a 4
> : numeric digit PIN that never expires.
> :
> : When I was first told to make sure we enabled the complex requirement
> : instead of just the minimum character I knew it was going to be a big
> PITA.
> : I had to go from office to office for months and check for sticky pads
> on
> : monitors and under keyboard for the users passwords and then have to
> give
> : them the talk about how they can't do that. Eventually they do get use
> to
> : it.
> :
> :
> : "1PW" <barcrnahgjuvfgy@nby.pbz> wrote in message
> : news:h5puto$164$1@news.eternal-september.org...
> : > Eric wrote:
> : >> I have a network that I have to upgrade their password policy. I am
> : >> aware of
> : >> best practice and how it says I should do it, however the users in
> the
> : >> network are terrified of change. I was just wondering if anyone has
> been
> : >> in
> : >> this situation and had any suggestions in how to proceeed.
> : >
> : > Hello Eric:
> : >
> : > What is bringing about the policy change? You alone? Your suggestion
> : > to management? Management alone? Other? Please detail the type of
> : > practices do you intend to implement.
> : >
> : > How many user accounts are involved? Is management in the habit of
> : > putting their policy changes out in writing? Are you an employee of
> : > the network owner or an outside contractor?
> : >
> : > Is the network part of a small, medium, large company? Corporation?
> : > Local, state, federal government?
> : >
> : > Pete
> : > --
> : > 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
> : >
> :
> :
> :
>
>
> <!--colorc--><!--/colorc-->

 

Very strange relationship your IT has with employees. One in a million, I'd
guess. Of course, it appears you let THEM run the operation. If you had a
specific written Internet/Network useage policy that they were required to
sign, you might be able to assume control.

Sigh.
"Jordan" <nospam@here.com> wrote in message
news:umEjXiHHKHA.5956@TK2MSFTNGP03.phx.gbl...
: That would take a lot of frustration out of the task, but when we assign
the
: passwords to the users they can claim it was not them if there is any
issue
: because we know their password too.
:
:
: "Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
: news:%23Jt8ZVBHKHA.4436@TK2MSFTNGP04.phx.gbl...
: > In our domain, we in IT decide the passwords and tell the users what
they
: > are.
: >
: > "Jordan" <nospam@here.com> wrote in message
: > news:eRxh0$7GKHA.4376@TK2MSFTNGP03.phx.gbl...
: > : The best way to handle your users it to give them examples of ways
they
: > can
: > : easily make a password and have it fit into the requirements. For
: > example
: > I
: > : have the standard windows complex PW scheme enabled with a min of 6
: > : characters. I don't even tell the users about being able to use
: > specialb
: > : characters because there head would explode. I tell them to get a
name
: > or
: > : something with the 6 characters and alter the letters to a number.
: > Names
: > of
: > : people or places work great because you would normally capitalize the
: > first
: > : letter anyway like:
: > :
: > : Charl3s
: > : B0st0n
: > : Ju11ian
: > :
: > : Even something as simple as this is going to be tough for some
terrified
: > : users. I had to sit with one user for 15 minutes once because no
matter
: > : what he typed he never met the criteria and half the time I could see
by
: > the
: > : counts of the dots on the screen he was not typing the same amount of
: > : characters for the confirming box as the first.
: > :
: > : What probably brought the change is some Accounting weenie that knows
: > : nothing about network security told him they would fail a SOX audit if
: > they
: > : did not make some complex password rulie and have it expire every 90 -
: > 120
: > : days.
: > :
: > : I really get a kick out of the hipocracy of those accounting weenies
: > telling
: > : IT folk about what we should be requiring when every single financial
: > : institution that passes out credit cards or ATM cards only requires a
4
: > : numeric digit PIN that never expires.
: > :
: > : When I was first told to make sure we enabled the complex requirement
: > : instead of just the minimum character I knew it was going to be a big
: > PITA.
: > : I had to go from office to office for months and check for sticky pads
: > on
: > : monitors and under keyboard for the users passwords and then have to
: > give
: > : them the talk about how they can't do that. Eventually they do get
use
: > to
: > : it.
: > :
: > :
: > : "1PW" <barcrnahgjuvfgy@nby.pbz> wrote in message
: > : news:h5puto$164$1@news.eternal-september.org...
: > : > Eric wrote:
: > : >> I have a network that I have to upgrade their password policy. I
am
: > : >> aware of
: > : >> best practice and how it says I should do it, however the users in
: > the
: > : >> network are terrified of change. I was just wondering if anyone
has
: > been
: > : >> in
: > : >> this situation and had any suggestions in how to proceeed.
: > : >
: > : > Hello Eric:
: > : >
: > : > What is bringing about the policy change? You alone? Your
suggestion
: > : > to management? Management alone? Other? Please detail the type of
: > : > practices do you intend to implement.
: > : >
: > : > How many user accounts are involved? Is management in the habit of
: > : > putting their policy changes out in writing? Are you an employee of
: > : > the network owner or an outside contractor?
: > : >
: > : > Is the network part of a small, medium, large company? Corporation?
: > : > Local, state, federal government?
: > : >
: > : > Pete
: > : > --
: > : > 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
: > : >
: > :
: > :
: > :
: >
: >
: >
:
:
:

 

They can always claim that can't they? I mean the role of administrator
grants you the ability to make an 'issue' even without knowing a
password, doesn't it?

"Jordan" <nospam@here.com> wrote in message
news:umEjXiHHKHA.5956@TK2MSFTNGP03.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> That would take a lot of frustration out of the task, but when we
> assign the passwords to the users they can claim it was not them if
> there is any issue because we know their password too.
>
>
> "Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
> news:%23Jt8ZVBHKHA.4436@TK2MSFTNGP04.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> In our domain, we in IT decide the passwords and tell the users what
>> they
>> are.
>>
>> "Jordan" <nospam@here.com> wrote in message
>> news:eRxh0$7GKHA.4376@TK2MSFTNGP03.phx.gbl...
>> : The best way to handle your users it to give them examples of ways
>> they
>> can
>> : easily make a password and have it fit into the requirements. For
>> example
>> I
>> : have the standard windows complex PW scheme enabled with a min of 6
>> : characters. I don't even tell the users about being able to use
>> specialb
>> : characters because there head would explode. I tell them to get a
>> name or
>> : something with the 6 characters and alter the letters to a number.
>> Names
>> of
>> : people or places work great because you would normally capitalize
>> the
>> first
>> : letter anyway like:
>> :
>> : Charl3s
>> : B0st0n
>> : Ju11ian
>> :
>> : Even something as simple as this is going to be tough for some
>> terrified
>> : users. I had to sit with one user for 15 minutes once because no
>> matter
>> : what he typed he never met the criteria and half the time I could
>> see by
>> the
>> : counts of the dots on the screen he was not typing the same amount
>> of
>> : characters for the confirming box as the first.
>> :
>> : What probably brought the change is some Accounting weenie that
>> knows
>> : nothing about network security told him they would fail a SOX audit
>> if
>> they
>> : did not make some complex password rulie and have it expire every
>> 90 - 120
>> : days.
>> :
>> : I really get a kick out of the hipocracy of those accounting
>> weenies
>> telling
>> : IT folk about what we should be requiring when every single
>> financial
>> : institution that passes out credit cards or ATM cards only requires
>> a 4
>> : numeric digit PIN that never expires.
>> :
>> : When I was first told to make sure we enabled the complex
>> requirement
>> : instead of just the minimum character I knew it was going to be a
>> big
>> PITA.
>> : I had to go from office to office for months and check for sticky
>> pads on
>> : monitors and under keyboard for the users passwords and then have
>> to give
>> : them the talk about how they can't do that. Eventually they do get
>> use to
>> : it.
>> :
>> :
>> : "1PW" <barcrnahgjuvfgy@nby.pbz> wrote in message
>> : news:h5puto$164$1@news.eternal-september.org...
>> : > Eric wrote:
>> : >> I have a network that I have to upgrade their password policy.
>> I am
>> : >> aware of
>> : >> best practice and how it says I should do it, however the users
>> in the
>> : >> network are terrified of change. I was just wondering if anyone
>> has
>> been
>> : >> in
>> : >> this situation and had any suggestions in how to proceeed.
>> : >
>> : > Hello Eric:
>> : >
>> : > What is bringing about the policy change? You alone? Your
>> suggestion
>> : > to management? Management alone? Other? Please detail the type
>> of
>> : > practices do you intend to implement.
>> : >
>> : > How many user accounts are involved? Is management in the habit
>> of
>> : > putting their policy changes out in writing? Are you an employee
>> of
>> : > the network owner or an outside contractor?
>> : >
>> : > Is the network part of a small, medium, large company?
>> Corporation?
>> : > Local, state, federal government?
>> : >
>> : > Pete
>> : > --
>> : > 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
>> : >
>> :
>> :
>> :
>>
>>
>><!--colorc--><!--/colorc-->
>
>
> <!--colorc--><!--/colorc-->