Re: Password aging

[Eoghan Casey <eco () CORPUS-DELICTI COM>]

Dan,

It is not exactly recent, but one research study addresses many of the
points that you raised: "Users are not the Enemy" by Adams and Sasses,
CACM, Volume 42 , Issue 12, December 1999.

This study found that users undermine password security mainly because
organizations do not take into account their needs and behavior. This
study found that requiring users to change their passwords frequently,
or requiring them to remember more than four or five unrelated
passwords, increases the chances that they will forget their passwords
or write them down. The main points in this study are that for security
practices to be effective, they must take into account the behavior and
needs of users, and that success is heavily dependant on user education
and awareness. Providing guidance on selecting secure and memorable
passwords, educating users about the threats and damage associated with
stolen passwords, and explaining why certain systems (and the
information they contain) require protection against unauthorized access
all contribute to better password security. Notably, the study indicates
that some groups performing shared work may be best served by a shared
password for certain tasks.

The above description, along with other security implementation issues,
is included in the EDUCAUSE Effective Security Practice Guide which will
be launched next week.

The study mentions that one organization, after learning about the
research findings, adopted smart cards for certain users but did not
consider this as a general solution suitable for all situations. There
are other nuances in the study that make it worth reading.

One point that came up during an off-list discussion I had about
password aging is that users need some warning and time to prepare to
change their passwords. For instance, Windows has a feature that prompts
the user to change their logon password a set number of days in advance
with a "Your password expires in X days, would you like to change it
now?" type of message.

Eoghan

Dan Updegrove wrote:

> Colleagues,
>
> Is anyone aware of bona fide, recent studies of the impact on security of
> password aging policy? This is to say, we hear of lore, anecdote, and
> (obsolete?) regs from auditors, but are there any useful studies?
>
> Why change a password (more frequently)?
> - Password doesn't conform to robustness criteria
> - User deliberately shared it with someone
> - User didn't protect it (post-it note, etc.)
> - Unencrypted pswd used from an insecure location (wireless, public
> kiosk,
> shared ethernet)
> - User used same password in dubiously-secure domain (Hotmail, Amazon, NY
> Times, et al.)
> - Password file known to be breached
>
> Why keep same password?
> - New pswds often forgotten:
>         > indiv productivity loss, dept service degraded, help desk costs
> increase
> - To avoid forgetting, new pswds may be written down
> - To avoid forgetting, less-than-robust pswds may be selected
>
> The reasons for changing can be reduced to two broad categories:
> - Can the password be guessed or discovered by brute force techniques?
> - Is the password known by someone else (co-worker, family member, rogue
> sys admin on a local or remote system, cracker)?
>
> Preventing the selection of "trivial" passwords is the preferred response
> to the first problem. Many of us do this, imposing varying levels of
> complexity on password selection.
>
> The second problem is much thornier, and is exacerbated by a
> requirement to
> select a "tough" password: If someone else knows your password, then a
> new
> password that's algorithmically-related to the prior one is suspect.
> So, of
> course, is reverting to a previously-used password. The user is thus
> challenged to select or invent a complex, quite random password
> string, and
> this process is often done on-the-fly while thinking about something else
> -- needing to logon to authorize a purchase order, read email, etc. If
> the
> University has multiple systems, with varying rules about password length
> and robustness, the user hassle factor is large, and the likelihood of a
> call to the help desk is high. So, too, is the likelihood of writing down
> passwords, or using the same password for all systems -- including remote
> systems outside the University.
>
> This leads some of us to conclude that any system that depends solely on
> passwords is inherently insecure, and that we should protect important
> systems with a second factor of authentication: token, smart card,
> biometrics, ....
>
> Regards,
> Dan Updegrove
>
>
>
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion
> > Group discussion list can be found at http://www.educause.edu/cg/.
>
>
>
> VP  for Information Technology          Phone (512) 232-9610
> The University of Texas at Austin       Fax (512) 232-9607
> FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
> P.O. Box 7407
> http://wnt.utexas.edu/~danu/
> Austin, TX 78713-7407
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.