Educause Security Discussion mailing list archives
Re: Password aging
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 14 Jan 2004 12:55:25 -0500
While it is debatable how *often* a password should be changed (the result of adding the compound probabilities of each form of threat to its secrecy), I would assert that no password should be permitted to remain unchanged ad infinatum, no matter how complex or well-guarded it is. A reason changing ATM PINs is not as important is that ATM's rely on a 2-factor authenticator. Someone has to learn the PIN, *and* obtain the card. Presuming users can keep tabs on one or the other (ideally both), the surety can remain sufficiently high. However, a problem with password stagnation could be cast as a corollary question: "do you know who else knows your password". None of us can answer "yes" with certainty, only probability, because we may never know if it has been intercepted, we can only hope that it hasn't. That surety degrades over time, due to the repetition of exposures as it is used. Two such risks of 'secret-leakage' are the old saw, network eavesdropping, another is user-caused: Using the same password for their enterprise account as they do on some less-secure service, where it may be much more subject to interception (also without the user's knowledge). David L. Wasley wrote:
I wonder about the rationale for requiring periodic password changes. I believe I understand why it was necessary in the past but is it still reasonable? What is the risk that is mitigated by that requirement? I assume that modern systems - require sufficiently complex passwords to start with - do not allow downloading of the /etc/passwd (or equivalent) file - lock account access after a few failed password attempts Therefore, guessing a password should prove very difficult and there isn't any other way to gain knowledge of it. Even if you accept that it might be guessed, so might the new one. Therefore why require that it be changed? As to people "sharing" or writing down passwords, they'll just share or write down the new one each time. Thus changing passwords periodically does nothing to address this problem of human nature. If a person becomes aware that their password might have been compromised, they should then change their password just as they should request a PKI cert be revoked if the private key is compromised. I suppose one could imagine a scenario where an attacker tries a dictionary-like attack until the target locks up, waits for it to be reopened, and then continues trying. Assuming the user never wonders why their account is continually locking up, the attacker might eventually hit on the actual password. However, requiring the user to change their password periodically or even every time the account locks up wouldn't guarantee that the attacker would never succeed (even if you knew what strings they had already tried some other hacker might start again at the beginning). So can someone define what the rationale might be for requiring password changes? How often do folks change the PIN on their ATM cards? Thanks, David ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ "...mind the gap" ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging H. Morrow Long (Jan 09)
- Re: Password aging Peter Choi (Jan 09)
- Re: Password aging Eoghan Casey (Jan 10)
- Re: Password aging Jim Moore (Jan 13)
- Re: Password aging Steve Worona (Jan 13)
- Re: Password aging Gary Flynn (Jan 13)
- Re: Password aging Jim Moore (Jan 14)
- Re: Password aging Steve Worona (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
- Re: Password aging Gary Flynn (Jan 14)
- Re: Password aging Dave Koontz (Jan 14)
- Re: Password aging Cal Frye (Jan 15)
- Re: Password aging Gary Dobbins (Jan 15)
(Thread continues...)