Re: Password aging

["Craig W. Drake" <c-drake () NEIU EDU>]

David,

The rationale that I see is in the situation where an attacker learns
the password of someone's account but that user never actually knows
that their account has been compromised.  By requiring that a user
change his/her password periodically, an attacker will not have
"permanent" access to that account. 

And actually, I do believe that people should change their ATM PINs
periodically. 


Craig W. Drake, MCSE
Windows Server Systems Administrator
Networking and Distributed Services
Northeastern Illinois University



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David L. Wasley
Sent: Wednesday, January 14, 2004 11:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password aging

I wonder about the rationale for requiring periodic password changes.
I believe I understand why it was necessary in the past but is it
still reasonable?  What is the risk that is mitigated by that
requirement?

I assume that modern systems
  - require sufficiently complex passwords to start with
  - do not allow downloading of the /etc/passwd (or equivalent) file
  - lock account access after a few failed password attempts

Therefore, guessing a password should prove very difficult and there
isn't any other way to gain knowledge of it.  Even if you accept that
it might be guessed, so might the new one.  Therefore why require
that it be changed?

As to people "sharing" or writing down passwords, they'll just share
or write down the new one each time.  Thus changing passwords
periodically does nothing to address this problem of human nature.

If a person becomes aware that their password might have been
compromised, they should then change their password just as they
should request a PKI cert be revoked if the private key is
compromised.

I suppose one could imagine a scenario where an attacker tries a
dictionary-like attack until the target locks up, waits for it to be
reopened, and then continues trying.  Assuming the user never wonders
why their account is continually locking up, the attacker might
eventually hit on the actual password.  However, requiring the user
to change their password periodically or even every time the account
locks up wouldn't guarantee that the attacker would never succeed
(even if you knew what strings they had already tried some other
hacker might start again at the beginning).

So can someone define what the rationale might be for requiring
password changes?

How often do folks change the PIN on their ATM cards?

Thanks,
        David

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.