RE: Two Factor authentication and changing passwords

["Roger A. Grimes" <roger () banneretcs com>]

Brian,

What a good question.  My guess is that there isn't any empirical
analysis (i.e. mathematical risk calculations), so all we can do is
spectulate. My feeling is that it, all other things equal, it increases
the min. password use time period, but going to the other extreme (i.e.
not changing the base password) offsets the benefits of two factor
authentication.  For one, if the RSA server can be compromised, the RSA
token sequence can be predicted (see Cain at www.oxid.it). Thus, if the
attacker is given enough time, they can get the password and get the
sequence. Changing the password/PIN at a decent interval offsets that
risk. Also, password/PINs aren't normally longer than 4 characters
(numbers), so the password guessing is trivial.  Lastly, users like to
re-use passwords. If you never make them change the PIN, they are more
likely to use it in other non-two-factor applications (if allowed).

Personally, I'd say you could increase the interval by a factor of two
or three...but beyond that my personal risk threshhold starts to go back
up.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
*****************************************************************



-----Original Message-----
From: Brian Johnson [mailto:brian.l.johnson () gmail com] 
Sent: Wednesday, January 04, 2006 11:57 AM
To: security-basics () securityfocus com
Subject: Two Factor authentication and changing passwords

I was wondering if anyone could point me towards some recommendations
for how often passwords should be changed if two-factor authentication
is used.

I am working with a client who thinks that using SecurID tokens means
they should never have to change their passwords but I am not
comfortable with this.

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------