The Limitations Of Technical Controls

By Author: Alyssa
Total Articles: 128
Comment this article

Where technical controls can be used to enforce password policy, they should be used. However, the designer should understand their limitations:

The password complexity requirement might not provide any additional security unless users are trained in producing strong passwords. Using this control will force users to create passwords using characters, numbers, and symbols, and this will prevent casual password guessing. However, password-cracking products can quickly crack some these combinations, especially if they are able to use the LM password hash.

Users might write down passwords in easily discovered places. This is especially true where passwords must be complex, long, and change frequently. Research has shown that seven is the maximum number of letters or numbers that most people can easily remember.

See Also Bell Labs did a lot of research on memory in the early days of telephones. One thing that the company learned was that the optimum number of digits people could remember was seven. This is why, at least in the United States, telephone numbers are seven digits long. You can read ...
... more at certification provider(http://www.buyitexam.com).

Users might share passwords with co-workers.

If one character in the password is changed before submitting it as a new pass-word, the operating system sees it as a new password. The history requirement will not prevent this type of password reuse. To an attacker who knows an old password, the obvious strategy when refused its use is to change one character and try again. Attackers know the typical user will change the last character because this change is more easily remembered.

Users forget their password and must have it reset. This means somebody must have the power to do so for them. The typical resource for password changes is the Help Desk. A strong Help Desk policy, training, and enforcement practice must be used to ensure that this privilege is not abused.

If a password is administratively reset, the user must change his password because the person who reset it also knows it. This can be forced by setting the account

property User Must Change Password At Next Logon. However, if this is not set, the user might not remember to change her password on her own. The individual who resets the password might realize this and use the opportunity to take advantage of a MCSA Exam(http://www.mcsa-70-290.com).

There is no technical control to enforce a user-by-user change in password strength policy. Often various areas of the organization have different needs for stronger passwords. Administrators and those with access to sensitive information should be required to use stronger passwords. However, there is no technical way to do so. The need to use one password policy per domain weakens the policy.

Planning A domain can have only one password policy. Separate password policies can be configured in GPOs linked to OUs. However, that policy will affect only the local account database of the computers that reside in the domain.

If one character in the password is changed before submitting it as a new pass-word, the operating system sees it as a new password. The history requirement will not prevent this type of password reuse. To an attacker who knows an old password, the obvious strategy when refused its use is to change one character and try again. Attackers know the typical user will change the last character because this change is more easily remembered.

Users forget their password and must have it reset. This means somebody must have the power to do so for them. The typical resource for password changes is the Help Desk. A strong Help Desk policy, training, and enforcement practice must be used to ensure that this privilege is not abused.

If a password is administratively reset, the user must change his password because the person who reset it also knows it. This can be forced by setting the account

property User Must Change Password At Next Logon. However, if this is not set, the user might not remember to change her password on her own. The individual who resets the password might realize this and use the opportunity to take advantage of that knowledge.

There is no technical control to enforce a user-by-user change in password strength policy. Often various areas of the organization have different needs for stronger passwords. Administrators and those with access to IT certification(http://www.buyitexam.com) should be required to use stronger passwords. However, there is no technical way to do so. The need to use one password policy per domain weakens the policy.

Planning A domain can have only one password policy. Separate password policies can be configured in GPOs linked to OUs. However, that policy will affect only the local account database of the computers that reside in the domain.