Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password aging

From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 14 Jan 2004 12:55:25 -0500
While it is debatable how *often* a password should be changed (the
result of adding the compound probabilities of each form of threat to
its secrecy), I would assert that no password should be permitted to
remain unchanged ad infinatum, no matter how complex or well-guarded
it is.

A reason changing ATM PINs is not as important is that ATM's rely on a
2-factor authenticator.  Someone has to learn the PIN, *and* obtain
the card.  Presuming users can keep tabs on one or the other (ideally
both), the surety can remain sufficiently high.

However, a problem with password stagnation could be cast as a
corollary question: "do you know who else knows your password".  None
of us can answer "yes" with certainty, only probability, because we
may never know if it has been intercepted, we can only hope that it
hasn't.  That surety degrades over time, due to the repetition of
exposures as it is used.

Two such risks of 'secret-leakage' are the old saw, network
eavesdropping, another is user-caused: Using the same password for
their enterprise account as they do on some less-secure service, where
it may be much more subject to interception (also without the user's
knowledge).


David L. Wasley wrote:


I wonder about the rationale for requiring periodic password changes.
I believe I understand why it was necessary in the past but is it
still reasonable?  What is the risk that is mitigated by that
requirement?

I assume that modern systems
 - require sufficiently complex passwords to start with
 - do not allow downloading of the /etc/passwd (or equivalent) file
 - lock account access after a few failed password attempts

Therefore, guessing a password should prove very difficult and there
isn't any other way to gain knowledge of it.  Even if you accept that
it might be guessed, so might the new one.  Therefore why require
that it be changed?

As to people "sharing" or writing down passwords, they'll just share
or write down the new one each time.  Thus changing passwords
periodically does nothing to address this problem of human nature.

If a person becomes aware that their password might have been
compromised, they should then change their password just as they
should request a PKI cert be revoked if the private key is
compromised.

I suppose one could imagine a scenario where an attacker tries a
dictionary-like attack until the target locks up, waits for it to be
reopened, and then continues trying.  Assuming the user never wonders
why their account is continually locking up, the attacker might
eventually hit on the actual password.  However, requiring the user
to change their password periodically or even every time the account
locks up wouldn't guarantee that the attacker would never succeed
(even if you knew what strings they had already tried some other
hacker might start again at the beginning).

So can someone define what the rationale might be for requiring
password changes?

How often do folks change the PIN on their ATM cards?

Thanks,
       David

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.


--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- dobbins () nd edu
  Director, Information Security
  University of Notre Dame, Office of Information Technologies
  Voice: 574.631.5554
  ------------------------------------------------------------
  "...mind the gap"

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: