Passwords: everyones favorite topic

Steve Riley writes about our favorite topic to beat into the ground, passwords. He hits three key points, account lockouts, disabling unused accounts and password expiration.
I more or less agree with him about account lockouts. They are a poor substitute for good passwords. They cause (a few) calls to the helpdesk, and open a vulnerability to a denial of service attack. The problem is how do you then enforce the 15 character passphrase that he recommends. While it is both more memorable and more secure, that doesn’t mean it wont get fought hard.
Can you really do away with account lockouts? Lockouts are still seen by many as a requirement for account security. I heard a story recently of a satellite ground system that wanted to lockout their operators accounts until an administrator could perform a reset. During the night the operators would be unable to access their terminals because the administrators only worked during the day. The computer systems are in a secure area on a private network. Does the perceived benefit of account lockout justify the threat to the satellite and its data? I’d say no. Section AC-7 of NIST SP 800-53 lists requirements for account lockouts. If you’ve got an audit, account lockouts are probably on the list of things they are looking for.
Steve pretty much says that disabling unused accounts is an HR problem. While it is true that the accounts process needs to be hooked into HR, this will only give you hires, terms, and if you’re lucky people transitioning to an “on-call” roll. If you have a policy than an account is created for every employee, there will be employees who don’t use the accounts.
Finding a good program or script to disable unused accounts is not easy. You want it to run on a schedule. You dont want to have to do this yourself manually. It must be able to exclude users by account name, security group or OU. It must be able to notice when “password never expires” is set so it ignores those accounts. If you’re running a Windows 2000 domain it needs to collect last logon from each domain controller and find the most recent time for each account. If a Windows 2003 domain, there is an AD account attibute that collects this and replicates it for you. Lastly it must be able to disable the account without modifying the other attributes. This is kind of a pain since the account disable attribute is actually part of userAccountControl which stores a bunch of things.
Password expiration helps prevent the bad guy from having access forever if he does penetrate the account It also annoys the crap out of people who are sharing accounts (against policy). To me it makes sense for sensitive accounts to be changed more often then regular accounts. I don’t think this can be done with Windows currently. I recently used Anixis Password Policy Enforcer to create separate 60 day expiration for users with domain administrator privileges. (Regular users have a 90 day expiration).
Password Policies generate a lot of discussion. It seems to be like “is antivirus dead”. Every 6-12 months someone kicks off the same discussion.