tag:blogger.com,1999:blog-5311667717377214125.post5046918367330050485..comments2017-12-05T06:28:10.229-08:00Comments on My own personal soapbox!: LDAP password policy - how I learned to stop worrying..Aravindhttp://www.blogger.com/profile/16511182772150174354noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-5311667717377214125.post-42485337868096277052017-12-05T06:28:10.229-08:002017-12-05T06:28:10.229-08:00Oh yeah, that's the first thing I tried =). Wh...Oh yeah, that's the first thing I tried =). What worries me is that I'm using standard openldap packages and compiling my own version will force me choose between redoing the work every time there's a security patch or excluding openldap from updates. <br /><br />Thanks again Aravind.<br /><br />Damianhttps://www.blogger.com/profile/06788397927720068328noreply@blogger.comtag:blogger.com,1999:blog-5311667717377214125.post-60319791907775284882017-12-04T13:10:13.163-08:002017-12-04T13:10:13.163-08:00Yeah.. it was a huge pita for us at the time. You ...Yeah.. it was a huge pita for us at the time. You might want to try applying those patches against the modern OpenLDAP releases and see if it applies cleanly. Chances are, it won't. If the guts of it are still similar, you might be able to patch it slightly and make it work.Aravindhttps://www.blogger.com/profile/16511182772150174354noreply@blogger.comtag:blogger.com,1999:blog-5311667717377214125.post-79319798061881597102017-12-04T12:17:07.524-08:002017-12-04T12:17:07.524-08:00Thanks... It's quite surprising (and frustrati...Thanks... It's quite surprising (and frustrating) that this simple issue keeps being overlooked by OpenLDAP. Now I'm hitting the same problem you describe and I have no sane way to keep users who change their passwords from locking themselves out.<br /><br />Damianhttps://www.blogger.com/profile/06788397927720068328noreply@blogger.comtag:blogger.com,1999:blog-5311667717377214125.post-90434399114746807862017-12-01T13:29:52.157-08:002017-12-01T13:29:52.157-08:00nope, I haven't been maintaining it - nor am I...nope, I haven't been maintaining it - nor am I aware of others maintaining it. I haven't kept track of the OpenLDAP internal changes in the recent releases.Aravindhttps://www.blogger.com/profile/16511182772150174354noreply@blogger.comtag:blogger.com,1999:blog-5311667717377214125.post-70899341809839298602017-12-01T11:56:20.540-08:002017-12-01T11:56:20.540-08:00Do you know if this patch is still maintained anyw...Do you know if this patch is still maintained anywhere? Damianhttps://www.blogger.com/profile/06788397927720068328noreply@blogger.comtag:blogger.com,1999:blog-5311667717377214125.post-19864089729478236112009-06-19T12:33:38.098-07:002009-06-19T12:33:38.098-07:00That's a whole can of worms. I can only point...That's a whole can of worms. I can only point you to stuff I have researched on the topic. You are right in that users using a scheme like that negate the benefits from the policy. The hope is that users will not do that if you make the policy sufficiently usable. Things like allowing pass phrases instead of passwords help. Here is my take - quoted from our internal discussions.<br />-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=<br />The threat we are trying to guard against is that of a leaked or compromised password staying valid for a while. Changing this password every so often mitigates that threat. I am open to proposals that are effective in mitigating this. Why 90 days (why not 6 months, why not a year)? - that's just my take from reading a bunch of online articles and policy recommendations.<br /><br />The other threat is that of trying to brute force a stolen password hash file. Our hashes are stored in LDAP and its unlikely someone would gain access to them, but the threat does exist. This link (http://www.lockdown.co.uk/?pg=combi) gives a rough estimate of how long it would take somebody to figure out the original password. From that page, a class D system working on a 96 character space with an 8 char password length would take about 87 days to crack it.<br /><br />Finally, a lot more people have spent many more hours (than me) to look into this stuff and have published guidelines on this topic.<br />Here are some of their recommendations.<br /><br />http://www.sans.org/resources/policies/Password_Policy.pdf<br />http://technet.microsoft.com/en-us/library/cc784090.aspx<br />http://www.nccs.nasa.gov/policies/passwd.html<br /><br />Also, NIST publishes a FDCC document as a guideline for general computing. Note, that these are not guidelines for security sensitive environments, but general desktop guidelines. They suggest a minimum 12 character password, rotated every 60 days.<br /><br />http://nvd.nist.gov/fdcc/fdcc_faqs_20070731.cfm<br /><br />I am aware that Bruce Schneier and other experts disagree, but I'd rather err on the side of caution.Aravindhttps://www.blogger.com/profile/16511182772150174354noreply@blogger.comtag:blogger.com,1999:blog-5311667717377214125.post-88130331610274132872009-06-01T00:15:25.347-07:002009-06-01T00:15:25.347-07:00Just out of curiousity, what are the arguements in...Just out of curiousity, what are the arguements in favour of forcing users to change passwords often?<br /><br />I hate this policy, and have frequently had to resort to numbered passwords ("normalpass1", "normalpass2", etc.), and once had to resort to writing my password on post-notes by my desk when the password program actually checked for common substrings in previous passwords and refused to let me use my numbering system.<br /><br />I can't think of any realistic security benefit from the policy.Ami Gangulihttps://www.blogger.com/profile/02579312031133005523noreply@blogger.com