Re: Password aging

[Peter Choi <pchoi () WTC-INC NET>]

Many interesting points were raised in"Password aging" discussion.

If I would be so bold at to summarize the consensus expressed in this
topic: "Password aging" -- damned if you do and damned if you don't.  A
classic case of conundrum.

If a question is raised and the answers coming back gives you no reason to
act or change, perhaps we don't have to worry about throwing out the baby
with the bath water syndrome.

1.  What is making people continue to use the password technology that is
"old", cumbersome and that may not be too "safe" to use in the first
place?  Is the Higher Education so firmly entrenched in the use of legacy
system that the question of transitioning out of password use not even
worth asking?

2.  Are the alternative technologies (e.g., Biometrics, one time signon,
SmartCard, PKI, USB token) really that much inferior to using the password
methods?  Consider that the strength of identification and authentication
can be quantified in three ways: false acceptance rate, allowed multiple
tries, restricted feedback of authentication data to the user.

3.  What are your biggest reasons for not utilizing or considering the
"new" technologies for authentication and identification?  Consider issues
such as: cost, convenience, user acceptance, interoperability.

4.  Has there been any attempt from your organization to revamp the
identification and authentication system?

"To be or not to be?"  My question is, has any one (meaning Higher
Education) really thought seriously (meaning spent money to study this
topic) about revamping "password" system to something else?

Regards,

Peter


=======================================
S. Peter Choi, Ph D., CISSP
Senior Information Security Consultant
WTC, Inc.
801 South Grand Avenue, Suite 700
Los Angeles, CA 90017

(213) 689-5327
=======================================
Please visit our web site @ http://www.wtc-inc.net






Dan Updegrove <updegrove () MAIL UTEXAS EDU>
Sent by: The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
01/09/2004 06:44 AM
Please respond to
The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
Re: [SECURITY] Password aging






Colleagues,

Is anyone aware of bona fide, recent studies of the impact on security of
password aging policy? This is to say, we hear of lore, anecdote, and
(obsolete?) regs from auditors, but are there any useful studies?

Why change a password (more frequently)?
- Password doesn't conform to robustness criteria
- User deliberately shared it with someone
- User didn't protect it (post-it note, etc.)
- Unencrypted pswd used from an insecure location (wireless, public kiosk,
shared ethernet)
- User used same password in dubiously-secure domain (Hotmail, Amazon, NY
Times, et al.)
- Password file known to be breached

Why keep same password?
- New pswds often forgotten:
         > indiv productivity loss, dept service degraded, help desk costs
increase
- To avoid forgetting, new pswds may be written down
- To avoid forgetting, less-than-robust pswds may be selected

The reasons for changing can be reduced to two broad categories:
- Can the password be guessed or discovered by brute force techniques?
- Is the password known by someone else (co-worker, family member, rogue
sys admin on a local or remote system, cracker)?

Preventing the selection of "trivial" passwords is the preferred response
to the first problem. Many of us do this, imposing varying levels of
complexity on password selection.

The second problem is much thornier, and is exacerbated by a requirement
to
select a "tough" password: If someone else knows your password, then a new
password that's algorithmically-related to the prior one is suspect. So,
of
course, is reverting to a previously-used password. The user is thus
challenged to select or invent a complex, quite random password string,
and
this process is often done on-the-fly while thinking about something else
-- needing to logon to authorize a purchase order, read email, etc. If the
University has multiple systems, with varying rules about password length
and robustness, the user hassle factor is large, and the likelihood of a
call to the help desk is high. So, too, is the likelihood of writing down
passwords, or using the same password for all systems -- including remote
systems outside the University.

This leads some of us to conclude that any system that depends solely on
passwords is inherently insecure, and that we should protect important
systems with a second factor of authentication: token, smart card,
biometrics, ....

Regards,
Dan Updegrove



> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.


VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin       Fax (512) 232-9607
FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
P.O. Box 7407
http://wnt.utexas.edu/~danu/
Austin, TX 78713-7407

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature