Educause Security Discussion mailing list archives
Re: Password aging
From: "Craig W. Drake" <c-drake () NEIU EDU>
Date: Wed, 14 Jan 2004 11:39:59 -0600
David, The rationale that I see is in the situation where an attacker learns the password of someone's account but that user never actually knows that their account has been compromised. By requiring that a user change his/her password periodically, an attacker will not have "permanent" access to that account. And actually, I do believe that people should change their ATM PINs periodically. Craig W. Drake, MCSE Windows Server Systems Administrator Networking and Distributed Services Northeastern Illinois University -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David L. Wasley Sent: Wednesday, January 14, 2004 11:33 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password aging I wonder about the rationale for requiring periodic password changes. I believe I understand why it was necessary in the past but is it still reasonable? What is the risk that is mitigated by that requirement? I assume that modern systems - require sufficiently complex passwords to start with - do not allow downloading of the /etc/passwd (or equivalent) file - lock account access after a few failed password attempts Therefore, guessing a password should prove very difficult and there isn't any other way to gain knowledge of it. Even if you accept that it might be guessed, so might the new one. Therefore why require that it be changed? As to people "sharing" or writing down passwords, they'll just share or write down the new one each time. Thus changing passwords periodically does nothing to address this problem of human nature. If a person becomes aware that their password might have been compromised, they should then change their password just as they should request a PKI cert be revoked if the private key is compromised. I suppose one could imagine a scenario where an attacker tries a dictionary-like attack until the target locks up, waits for it to be reopened, and then continues trying. Assuming the user never wonders why their account is continually locking up, the attacker might eventually hit on the actual password. However, requiring the user to change their password periodically or even every time the account locks up wouldn't guarantee that the attacker would never succeed (even if you knew what strings they had already tried some other hacker might start again at the beginning). So can someone define what the rationale might be for requiring password changes? How often do folks change the PIN on their ATM cards? Thanks, David ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging Jere Retzer (Jan 09)
- Re: Password aging H. Morrow Long (Jan 09)
- Re: Password aging Peter Choi (Jan 09)
- Re: Password aging Eoghan Casey (Jan 10)
- Re: Password aging Jim Moore (Jan 13)
- Re: Password aging Steve Worona (Jan 13)
- Re: Password aging Gary Flynn (Jan 13)
- Re: Password aging Jim Moore (Jan 14)
- Re: Password aging Steve Worona (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
- Re: Password aging Gary Flynn (Jan 14)
- Re: Password aging Dave Koontz (Jan 14)
- Re: Password aging Cal Frye (Jan 15)
(Thread continues...)