Educause Security Discussion mailing list archives
Re: Password aging
From: Dan Updegrove <updegrove () MAIL UTEXAS EDU>
Date: Fri, 9 Jan 2004 08:44:18 -0600
Colleagues, Is anyone aware of bona fide, recent studies of the impact on security of password aging policy? This is to say, we hear of lore, anecdote, and (obsolete?) regs from auditors, but are there any useful studies? Why change a password (more frequently)? - Password doesn't conform to robustness criteria - User deliberately shared it with someone - User didn't protect it (post-it note, etc.) - Unencrypted pswd used from an insecure location (wireless, public kiosk, shared ethernet) - User used same password in dubiously-secure domain (Hotmail, Amazon, NY Times, et al.) - Password file known to be breached Why keep same password? - New pswds often forgotten: > indiv productivity loss, dept service degraded, help desk costs increase - To avoid forgetting, new pswds may be written down - To avoid forgetting, less-than-robust pswds may be selected The reasons for changing can be reduced to two broad categories: - Can the password be guessed or discovered by brute force techniques? - Is the password known by someone else (co-worker, family member, rogue sys admin on a local or remote system, cracker)? Preventing the selection of "trivial" passwords is the preferred response to the first problem. Many of us do this, imposing varying levels of complexity on password selection. The second problem is much thornier, and is exacerbated by a requirement to select a "tough" password: If someone else knows your password, then a new password that's algorithmically-related to the prior one is suspect. So, of course, is reverting to a previously-used password. The user is thus challenged to select or invent a complex, quite random password string, and this process is often done on-the-fly while thinking about something else -- needing to logon to authorize a purchase order, read email, etc. If the University has multiple systems, with varying rules about password length and robustness, the user hassle factor is large, and the likelihood of a call to the help desk is high. So, too, is the likelihood of writing down passwords, or using the same password for all systems -- including remote systems outside the University. This leads some of us to conclude that any system that depends solely on passwords is inherently insecure, and that we should protect important systems with a second factor of authentication: token, smart card, biometrics, .... Regards, Dan Updegrove
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
VP for Information Technology Phone (512) 232-9610 The University of Texas at Austin Fax (512) 232-9607 FAC 248 (Mail code: G9800) d.updegrove () its utexas edu P.O. Box 7407 http://wnt.utexas.edu/~danu/ Austin, TX 78713-7407 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging Paul Russell (Jan 08)
- Re: Password aging Jenny Gluck (Jan 08)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Jenny Gluck (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Monday, Kathy (Jan 08)
- Re: Password aging Dan Updegrove (Jan 09)
- Re: Password aging Kevin Shalla (Jan 09)
- Re: Password aging Jere Retzer (Jan 09)
- Re: Password aging H. Morrow Long (Jan 09)
- Re: Password aging Peter Choi (Jan 09)
- Re: Password aging Eoghan Casey (Jan 10)
- Re: Password aging Jim Moore (Jan 13)
- Re: Password aging Steve Worona (Jan 13)
- Re: Password aging Gary Flynn (Jan 13)
- Re: Password aging Jim Moore (Jan 14)
- Re: Password aging Steve Worona (Jan 14)
(Thread continues...)