Hello, I work for a 100K plus employee enterprise company. We probably have the very highest number of password resets in any company anywhere. The corporate privacy and security had a recent break and we are now under some severe restrictions. I am looking for some strategies:
No outside USB drives
No password managers and no admin rights to load any software
24 digit passwords required random with no repeat characters and combination changed monthly
No writing passwords down on post its and putting them on monitors and technically not supposed to put them in notebooks or any form of writing
No access to external email, dropbox, or fileshare
We are currently having thousands of password resets per day within our tools and have had multiple wipes of computers with the failed numbers of reboots. I’m sure no one is guessing our passwords but this has become difficult. I sort of use a key with the periodic table jumping from element to molecular weight to next element but its a difficult thing to do. Our screens to to password lock after 1 min and I spend a lot of time each day logging back in. I have had several fail three times and requiest admin unlock personally and I think I’m one of the better team members at goign through this.
Is this too much? What strategies can I share internally?
It’s way too much. Requirements like these will automatically lead to what your company is trying to prevent: unsafe selection of easy passwords (not relevant in your case) and unsafe password management.
Unless you have a really good memory you just cannot remember 24-digit passwords that frequently change so people have no choice but to write them down in probably not very secure places.
As far as I know the latest NIST suggestion is to pick a good long random password and then not change it until there is a reason to do so.
There are also algorithms that create “pronounceable” random passwords. e.g. like:
IdeyokiyiLouKugeburakenu
oNuDtalulagifimnotebulan
or passwords made from multiple words randomly chosen from the dictionary.
Technically somewhat less safe (less entropy) than completely random jumbled letters but people actually have a chance to remember them without unsafe practices like writing them down.
The lack of Password managers with a relatively strong master password would make this almost impossible to remember. And having to be exactly 24 characters makes it hard to. Whoever is in charge of this policy needs to have a real hard look at it because I it looks like its just gonna waste a lot of people’s time and result in more people getting their accounts phished
My company has triple more size than yours and have more shittier policies.
For employees
Password managers are forbidden
Min 12 character password for Windows, must be changed every 90 days
Security keys are disabled
Microsoft Authenticator is used as MFA
Got an internal custom made app for intranet, probably made by 5 year olds. You can reset your Bitlocker PIN there.
For password sharing, you need to send it via encrypted email, and on that email copy paste is disabled.
You need to complete some copy paste security training every 6 months, otherwise your mails will be blocked.
Most of the sites are blocked but no one knows the reason. For example, Copilot and Gemini are enabled but ChatGPT is not. Chrome extensions are enabled but Mozilla extensions are not.
No admin rights for any users.
There are 14 security agents installed in the business laptops. Windows is using %40ish CPU and %95 memory after 10 mins. Our IT team says this is normal, and also saying swapping in nvme disk is normal too.
For servers
Direct connection is disabled.
Using CyberArk’s Password Vault to enter the servers. Login to PV is done via AD SSO + MFA. After 5 mins it logs the user out. My team goes nuts after that.
No password login is permitted. To change users within the server, we are modifying sudoers file according to the user groups in PV.
lol holy ****. Yes that’s way too much.
That pw policy is insane and if you really implement it, you will be the most hated person in your organization.
I am frustrated for sure. I have learned to understand zero trust. I have learned that security must adapt.
I know it’s annoying to be “that guy” but I’ve started doing the back of the envelope math based on the number of resets, number of employees, number of locked out laptops, and length of time (average) to type this in on a dotted out prompt without a way to view what you are typing and it’s taking some serious man hours per day for the employees across the enterprise.
Sometimes I feel like the sophistication of the intrusions are winning the war just by the level of complexity for the protection.
Example: one idiot puts a bomb in his shoe that doesn’t go off and we spawn millions of minutes of time and energy to all take our shoes off and put them in bins at the airport.
If my goal as a jerk group with hackers and scripters was to both extort money and waste time for industries, I would obviously do the attempt at a ransom but also make the response be as painful for that industry as possible: (making this up)
Somehow make the executives convinced that Bluetooth is vulnerable and “until further notice, no more devices can operate on enterprise computers using Bluetooth”
Yeah, unfortunately security theater (TSA-style) is often more appealing than actual security to executives
If you’re in a position to make suggestions, your company should really try and follow the NIST SP 800-63-3 guidelines. Many of the practices currently in use are the exact opposite of the best practices described in that text.
(I’ll link to a summary someone wrote since the full text is pretty verbose)
You don’t need admin rights to load or run unknown software, as long as you have no application control.
A 100K+ employee company should at least somewhat know what it is doing for IT security. If it does not, you will have a hard time and password policies will be your least problem.
Not a good sign.
Yes
Make password usage easier. Requirements for secure passwords are good in general, but requiring a new password after a certain period of time is nonsense, same for overly strict retry lockout policy, which locks out too many employees and causes fatigue for IT support, which can blow additional holes in your system. Instead require 2FA and make use of hardware backed solutions like Windows Hello, which are fishing resistant and have hardware throttling. Also there are much more important problems to solve in IT security in such a large company, than password policies, for example application control for all users (software developer PCs require exclusions, thus need other forms of isolation from the rest of the company) and lockdown of admin PCs, domain controllers and servers.
.
