Want to get paid for a vulnerability similar to this one?
Contact us at: firstname.lastname@example.org
Today when I signed on I got a bit of a shock. The computer warned me that my password was going to expire in 5 days, and I should probably consider changing it.
It was a shock because this is my computer, and I go along with current password aging thinking, which is that a) we can’t figure out who first figured that password aging was all that hot an idea, and b) if it ever was a good idea, in the modern computing environment, password aging is a non-starter. Given that passwords should probably exceed 20 characters, and likely should be somewhat complex, trying to get people to choose a good one more than once every few years (when rainbow tables have been extended) is likely more security compromising than enhancing.
So, I went looking. Having dealt with security for a number of years, it wasn’t too hard for me to figure out that I didn’t want the control panel (since I hadn’t seen anything along that line while I was modifying other settings), and that I likely wanted “Administrative Tools,” and under that “Local Security Policy.” I had to read through all the options to determine that I probably wanted “Account Policies,” but, under that, it was obvious I wanted “Password Policy,” and, once there, “Maximum password age” stood out. With no particular options or actions I went back to the menu bar until I found that “Action” had a “Properties” function, bringing up a dialogue box with an entry box with a number in it. I figured that setting it to zero might turn off password aging, but I didn’t want to do anything that might require me to set a new password every time I signed on, so, when I saw that one of the tabs was “Explain,” I choose that.
(Allow me to digress for just a second here, and note that I suspect that the average home or small office user would not have found it easy to find this setting, and thus would have been stuck with the default. And all that that implies.)
The explanation did confirm that setting the number of days to zero does mean the passwords never expire. But it also told me that “It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user’s password and have access to your network resources.”
Microsoft, you’ve got to be kidding. If an attacker has enough access to your system in order to start cracking your passwords, then they’ll almost certainly succeed within a few days. Unless you’ve chosen a really, really good password, in which case it might be some years. So 30 to 90 days makes very little sense. (And, if you’re really serious about the maximum of 90 days, how come the entry box allows up to 999?)
But then, right down at the bottom, it tells me that “Default: 42.”
Oh, sorry, Microsoft. Obviously you are kidding. Nobody could take that seriously as a default.
(But then, why is that the default, and why is it enabled by default? …)
The issue prompted a little more thinking on my part. Was it really 37 days (42 minus 5) since I’d installed the machine? Ah, but then, it couldn’t be. As previously noted, I had to take it back to the store to clear up some OS registration issue. They, of course, didn’t ask what password I’d set, they just blew off the passwords. So, the 37 days would start from that point, wouldn’t it?
Well, apparently not. When I checked my journal, it was obvious that the 37 days started when I first started setting up the computer, not when the store eliminated the passwords.
Interesting version of “history” there, Microsoft …