Re: Password aging

[Jere Retzer <retzerj () OHSU EDU>]

A password is most secure when first established and will become less
secure the more it is used. There are many potential avenues that cause
this to happen. One of the most significant is that people routinely use
the same password for lots of different systems so that if any one is
compromised their access is potentially compromised other places as
well. Others include password sharing, sticky notes, dictionary attacks
(and systems that don't disable repeated attempts), eavesdropping, etc.
Each exposure of a password represents a small but finite risk. Sooner
or later your number may come up in the lotto.

Passwords are frankly lousy security, just as firewalls are lousy but
necessary security. The sooner we admit this and start really to focus
and spend money on biometric systems the better off we'll be. Yes,
current biometric systems are also far from perfect but they will become
better as people decide it is important and spend accordingly.

> > > c-drake () NEIU EDU 01/14/04 09:39AM >>>
David,

The rationale that I see is in the situation where an attacker learns
the password of someone's account but that user never actually knows
that their account has been compromised.  By requiring that a user
change his/her password periodically, an attacker will not have
"permanent" access to that account.

And actually, I do believe that people should change their ATM PINs
periodically.


Craig W. Drake, MCSE
Windows Server Systems Administrator
Networking and Distributed Services
Northeastern Illinois University



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David L. Wasley
Sent: Wednesday, January 14, 2004 11:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password aging

I wonder about the rationale for requiring periodic password changes.
I believe I understand why it was necessary in the past but is it
still reasonable?  What is the risk that is mitigated by that
requirement?

I assume that modern systems
  - require sufficiently complex passwords to start with
  - do not allow downloading of the /etc/passwd (or equivalent) file
  - lock account access after a few failed password attempts

Therefore, guessing a password should prove very difficult and there
isn't any other way to gain knowledge of it.  Even if you accept that
it might be guessed, so might the new one.  Therefore why require
that it be changed?

As to people "sharing" or writing down passwords, they'll just share
or write down the new one each time.  Thus changing passwords
periodically does nothing to address this problem of human nature.

If a person becomes aware that their password might have been
compromised, they should then change their password just as they
should request a PKI cert be revoked if the private key is
compromised.

I suppose one could imagine a scenario where an attacker tries a
dictionary-like attack until the target locks up, waits for it to be
reopened, and then continues trying.  Assuming the user never wonders
why their account is continually locking up, the attacker might
eventually hit on the actual password.  However, requiring the user
to change their password periodically or even every time the account
locks up wouldn't guarantee that the attacker would never succeed
(even if you knew what strings they had already tried some other
hacker might start again at the beginning).

So can someone define what the rationale might be for requiring
password changes?

How often do folks change the PIN on their ATM cards?

Thanks,
        David

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.