Results 1 to 4 of 4
  1. #1
    2 Star Lounger
    Join Date
    Dec 2009
    Thanked 5 Times in 4 Posts

    Is this a realistic server password policy?

    I'm helping a client who has contracted with a 3rd party for a Windows 2012 cloud server. Since we are in start-up mode and he has been traveling, he has only gotten back to this process this week. When he attempted to log on, the RDP client informed him that his password had expired and he could not get any further. After contacting his server provider, we found that they have a password expiration of 42 days, after which a new password must be set within one day (at least that is what their list of password settings implied). I've asked them to clarify whether this is one day after the next log-in, but after I sent that, it occurred to me that a "day 43" window seemed to be what my client experienced. This would be critical because not all of his users may be on the server every day and the idea that they would have to keep track of which day they are on seems counter-productive.

    Is this one-day window a typical security policy for a server? On the other hand, it might be due to the RDP utility not allowing him to proceed to the Windows log-in screen (since the credentials had been saved).

    Any comments or advice about this? Thanks!

  2. #2
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Thanked 485 Times in 451 Posts
    There is no reason why your client couldn't restrict himself to a shorter time than 42 days. He could tell everyone in the company that they need to change their password within one month. They then have about 11 extra days of "grace" period to change their password. Also, people can set up Outlook (or whatever office suite they use) to send them a reminder on a particular date every month, reminding them to change their passwords.

    As far as how many days someone has to change their password once it expires, if they aren't handling super-sensitive information, then I think one day is too restrictive. One week is more reasonable.

    And they need to have a way to remotely change their password. Otherwise, they need to have a lot more time all around.

  3. #3
    WS Lounge VIP Lugh's Avatar
    Join Date
    Jun 2010
    Thanked 287 Times in 239 Posts
    Tangential to your Q, but I'd think twice about using a host which insists on such a policy.

    Strong passwords are a good idea.

    Frequent changing of passwords is a bad idea.

    Security Myths and Passwords Purdue University 2006

    Are there any studies for or against frequent password changes? Stack Overflow 2009

    Why you shouldn't change your passwords regularly Network World 2014

    Changing your password regularly is a terrible idea, and here's why ZdNet 2016

    Should You Change Your Passwords Regularly? How-To Geek 2016

    Time to rethink mandatory password changes FTC 2016

    Unless you think your password might be compromised, don't change it Bruce Schneier 2014

    Want Safer Passwords? Don't Change Them So Often Wired 2016

    Why change your password(s) regularly? Windows Secrets 2014

    Using Strong Passwords

    How to create a strong password Kaspersky

    How Do I Create a Strong and Unique Password? Webroot

    Password Protection: How to Create Strong Passwords PC Mag [ouch, the ads!]

    How to Create a Strong Password (and Remember It) How-To Geek

    Choosing and Protecting Passwords US-CERT

    PS the best password to use is…
    …because if you forget it, the login error message will remind you
    Last edited by Lugh; 2018-05-04 at 17:49.
    Dell Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
    i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 2 x 256G SSD, 4TB HD

  4. The Following 2 Users Say Thank You to Lugh For This Useful Post:

    imjcarls (2018-05-07),wavy (2018-05-05)

  5. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Thanked 1,172 Times in 1,089 Posts
    I assume it's private server not a shared resource, so he can decide his own password policy.
    As Lugh pointed out, mandatory password change does not improve security - even the NIST no longer recommend it.
    You should use a 2 factor authentication system for people with public access and standard user/pass if the access is physically restricted.

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts