Security Basics mailing list archives
RE: Two Factor authentication and changing passwords
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 5 Jan 2006 09:59:12 -0500
Brian, What a good question. My guess is that there isn't any empirical analysis (i.e. mathematical risk calculations), so all we can do is spectulate. My feeling is that it, all other things equal, it increases the min. password use time period, but going to the other extreme (i.e. not changing the base password) offsets the benefits of two factor authentication. For one, if the RSA server can be compromised, the RSA token sequence can be predicted (see Cain at www.oxid.it). Thus, if the attacker is given enough time, they can get the password and get the sequence. Changing the password/PIN at a decent interval offsets that risk. Also, password/PINs aren't normally longer than 4 characters (numbers), so the password guessing is trivial. Lastly, users like to re-use passwords. If you never make them change the PIN, they are more likely to use it in other non-two-factor applications (if allowed). Personally, I'd say you could increase the interval by a factor of two or three...but beyond that my personal risk threshhold starts to go back up. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ***************************************************************** -----Original Message----- From: Brian Johnson [mailto:brian.l.johnson () gmail com] Sent: Wednesday, January 04, 2006 11:57 AM To: security-basics () securityfocus com Subject: Two Factor authentication and changing passwords I was wondering if anyone could point me towards some recommendations for how often passwords should be changed if two-factor authentication is used. I am working with a client who thinks that using SecurID tokens means they should never have to change their passwords but I am not comfortable with this. ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Two Factor authentication and changing passwords Brian Johnson (Jan 04)
- RE: Two Factor authentication and changing passwords Nick Owen (Jan 06)
- Re: Two Factor authentication and changing passwords Leif Ericksen (Jan 06)
- <Possible follow-ups>
- RE: Two Factor authentication and changing passwords Roger A. Grimes (Jan 05)