Re: Password aging

["H. Morrow Long" <morrow.long () YALE EDU>]

SSO, though generally thought to be a 'good thing' security-wise
(as you can centralize and regularize password quality, handling,
maintenance, etc in a single location and secure that -- and the user
only needs to remember one -- hopefully 'good' -- password) can
be an exposure risk if:
*       Some of the applications which require the password are
       insecure (easily broken into) or handle the plaintext password
insecurely.
*       Some of the applications which are part of the SSO allow or
       require the password to be sent to them over the network in the clear.
*       Some of the applications which are part of the SSO require that
       the password quality/diversity rules be dumbed down (password
       length, diversity of characters, etc.) such that passwords selected
       are no longer strong.

On the other hand, many users will choose the same password any way
(SSO or not) for every application and site (including random web site
passwords)
when given a chance so that they only have to remember one password.

- H. Morrow Long
  Dir. Information Security
  Yale University, ITS


On Jan 9, 2004, at 2:24 PM, Jere Retzer wrote:

> I've wondered if the password-sharing technique, such as passport or
> some system-enabled "single sign on" exposes the user to greater risk.
> Any thoughts or data on that? Lots of folks use the same password, for
> example on various e-commerce sites. It seems to me that if one of
> those
> sites exposes your password and user name, hackers could then try that
> same password and user name on lots of other sites and really take you
> to the cleaners.
>
> > > > kshalla () UIC EDU 01/09/04 11:10AM >>>
> One approach is the use of password-storing software (putting all your
> eggs
> in one basket).  This is software which stores a list of usernames /
> passwords, and this list is encrypted with its own password.  It can
> even
> generate "random" passwords.  This can certainly help with the
> recommendation to have a different password for each account on each
> machine, with the assumption that system administrators are hostile.
> You
> will have to be your own system administrator on the local machine
> storing
> this list, and if you're worried about brute force, you'll still need
> to
> change passwords, but I've found this software helps quite a bit
> (provided
> you trust the software to not itself do something nasty).  The smart
> card /
> biometric approach is better, but I would guess that it requires
> significant additional work to add its use into selected software.
>
> At 08:44 AM 1/9/2004, Dan Updegrove wrote:
> > The reasons for changing can be reduced to two broad categories:
> > - Can the password be guessed or discovered by brute force
> techniques?
> > - Is the password known by someone else (co-worker, family member,
> rogue
> > sys admin on a local or remote system, cracker)?
> >
> > Preventing the selection of "trivial" passwords is the preferred
> response
> > to the first problem. Many of us do this, imposing varying levels of
> > complexity on password selection.
> >
> > The second problem is much thornier, and is exacerbated by a
> requirement to
> > select a "tough" password: If someone else knows your password, then a
> new
> > password that's algorithmically-related to the prior one is suspect.
> So, of
> > course, is reverting to a previously-used password. The user is thus
> > challenged to select or invent a complex, quite random password
> string, and
> > this process is often done on-the-fly while thinking about something
> else
> > -- needing to logon to authorize a purchase order, read email, etc. If
> the
> > University has multiple systems, with varying rules about password
> length
> > and robustness, the user hassle factor is large, and the likelihood of
> a
> > call to the help desk is high. So, too, is the likelihood of writing
> down
> > passwords, or using the same password for all systems -- including
> remote
> > systems outside the University.
> >
> > This leads some of us to conclude that any system that depends solely
> on
> > passwords is inherently insecure, and that we should protect
> important
> > systems with a second factor of authentication: token, smart card,
> > biometrics, ....
>
> Kevin Shalla
> Associate Director of Information and Technical Services
> University of Illinois at Chicago
> Office of Admissions and Records (MC 018)
> 1200 W Harrison, Room 2131
> Chicago, IL 60607-7161
> (312) 996-1231
> kshalla () uic edu
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: smime.p7s
Description: