Educause Security Discussion mailing list archives
Re: Password aging
From: Jere Retzer <retzerj () OHSU EDU>
Date: Fri, 9 Jan 2004 11:24:47 -0800
I've wondered if the password-sharing technique, such as passport or some system-enabled "single sign on" exposes the user to greater risk. Any thoughts or data on that? Lots of folks use the same password, for example on various e-commerce sites. It seems to me that if one of those sites exposes your password and user name, hackers could then try that same password and user name on lots of other sites and really take you to the cleaners.
kshalla () UIC EDU 01/09/04 11:10AM >>>
One approach is the use of password-storing software (putting all your eggs in one basket). This is software which stores a list of usernames / passwords, and this list is encrypted with its own password. It can even generate "random" passwords. This can certainly help with the recommendation to have a different password for each account on each machine, with the assumption that system administrators are hostile. You will have to be your own system administrator on the local machine storing this list, and if you're worried about brute force, you'll still need to change passwords, but I've found this software helps quite a bit (provided you trust the software to not itself do something nasty). The smart card / biometric approach is better, but I would guess that it requires significant additional work to add its use into selected software. At 08:44 AM 1/9/2004, Dan Updegrove wrote:
The reasons for changing can be reduced to two broad categories: - Can the password be guessed or discovered by brute force
techniques?
- Is the password known by someone else (co-worker, family member,
rogue
sys admin on a local or remote system, cracker)? Preventing the selection of "trivial" passwords is the preferred
response
to the first problem. Many of us do this, imposing varying levels of complexity on password selection. The second problem is much thornier, and is exacerbated by a
requirement to
select a "tough" password: If someone else knows your password, then a
new
password that's algorithmically-related to the prior one is suspect.
So, of
course, is reverting to a previously-used password. The user is thus challenged to select or invent a complex, quite random password
string, and
this process is often done on-the-fly while thinking about something
else
-- needing to logon to authorize a purchase order, read email, etc. If
the
University has multiple systems, with varying rules about password
length
and robustness, the user hassle factor is large, and the likelihood of
a
call to the help desk is high. So, too, is the likelihood of writing
down
passwords, or using the same password for all systems -- including
remote
systems outside the University. This leads some of us to conclude that any system that depends solely
on
passwords is inherently insecure, and that we should protect
important
systems with a second factor of authentication: token, smart card, biometrics, ....
Kevin Shalla Associate Director of Information and Technical Services University of Illinois at Chicago Office of Admissions and Records (MC 018) 1200 W Harrison, Room 2131 Chicago, IL 60607-7161 (312) 996-1231 kshalla () uic edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Jenny Gluck (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Monday, Kathy (Jan 08)
- Re: Password aging Dan Updegrove (Jan 09)
- Re: Password aging Kevin Shalla (Jan 09)
- Re: Password aging Jere Retzer (Jan 09)
- Re: Password aging H. Morrow Long (Jan 09)
- Re: Password aging Peter Choi (Jan 09)
- Re: Password aging Eoghan Casey (Jan 10)
- Re: Password aging Jim Moore (Jan 13)
- Re: Password aging Steve Worona (Jan 13)
- Re: Password aging Gary Flynn (Jan 13)
- Re: Password aging Jim Moore (Jan 14)
- Re: Password aging Steve Worona (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
(Thread continues...)