Re: Password aging

[Jere Retzer <retzerj () OHSU EDU>]

I've wondered if the password-sharing technique, such as passport or
some system-enabled "single sign on" exposes the user to greater risk.
Any thoughts or data on that? Lots of folks use the same password, for
example on various e-commerce sites. It seems to me that if one of those
sites exposes your password and user name, hackers could then try that
same password and user name on lots of other sites and really take you
to the cleaners.

> > > kshalla () UIC EDU 01/09/04 11:10AM >>>
One approach is the use of password-storing software (putting all your
eggs
in one basket).  This is software which stores a list of usernames /
passwords, and this list is encrypted with its own password.  It can
even
generate "random" passwords.  This can certainly help with the
recommendation to have a different password for each account on each
machine, with the assumption that system administrators are hostile.
You
will have to be your own system administrator on the local machine
storing
this list, and if you're worried about brute force, you'll still need
to
change passwords, but I've found this software helps quite a bit
(provided
you trust the software to not itself do something nasty).  The smart
card /
biometric approach is better, but I would guess that it requires
significant additional work to add its use into selected software.

At 08:44 AM 1/9/2004, Dan Updegrove wrote:
> The reasons for changing can be reduced to two broad categories:
> - Can the password be guessed or discovered by brute force
techniques?
> - Is the password known by someone else (co-worker, family member,
rogue
> sys admin on a local or remote system, cracker)?
>
> Preventing the selection of "trivial" passwords is the preferred
response
> to the first problem. Many of us do this, imposing varying levels of
> complexity on password selection.
>
> The second problem is much thornier, and is exacerbated by a
requirement to
> select a "tough" password: If someone else knows your password, then a
new
> password that's algorithmically-related to the prior one is suspect.
So, of
> course, is reverting to a previously-used password. The user is thus
> challenged to select or invent a complex, quite random password
string, and
> this process is often done on-the-fly while thinking about something
else
> -- needing to logon to authorize a purchase order, read email, etc. If
the
> University has multiple systems, with varying rules about password
length
> and robustness, the user hassle factor is large, and the likelihood of
a
> call to the help desk is high. So, too, is the likelihood of writing
down
> passwords, or using the same password for all systems -- including
remote
> systems outside the University.
>
> This leads some of us to conclude that any system that depends solely
on
> passwords is inherently insecure, and that we should protect
important
> systems with a second factor of authentication: token, smart card,
> biometrics, ....

Kevin Shalla
Associate Director of Information and Technical Services
University of Illinois at Chicago
Office of Admissions and Records (MC 018)
1200 W Harrison, Room 2131
Chicago, IL 60607-7161
(312) 996-1231
kshalla () uic edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.