Re: Password aging

[Angel L Cruz <cruz () AUSTIN UTEXAS EDU>]

Yes, passwords do need to be changed periodically. This is clear from
reviewing GASSP, ISO 17799, COBIT, etc. -- it's a standard practice.

Should it be 30, 60, 90, 180, 365 days? The devil in the details will
always be how often it is changed. A google search of password aging at
various intervals (up to 1 year) finds many hits for many intervals --
there is no one answer, it just depends on the environment and their
risk "pain threshold".

E.G. VISA's Account Info Sec documentation under Managing Static
Passwords suggests a 30 day aging rule. This is clearly based on their
risk assessment and their pain threshold for monetary loss.

Password aging decisions should be based on empirical vice imperial
evidence -- and I believe Gary's point about use of same passwords on
yahoo, e-bay, etc. reveals a major exposure that should be strongly
considered among the many issues in an access controls risk assessment.
So, is there policy in place to discourage such practices? Well, how do
you check?

Now 2-factor is clearly the way to go, but the economics, scalability,
and multi-platform requirements issues involved in large HE environments
still scare many of us. Let's hope pricing models improve soon so we can
at least take a stab at solving the scalability and multi-platform
issues.


Mr. Angel L. Cruz, CISSP
Director & University ISO
The University of Texas at Austin
1 University Station
MAI 26 G0900
Austin, TX 78712
(512) 475-9462
a.cruz () its utexas edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
Sent: Wednesday, January 14, 2004 11:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password aging

While it is debatable how *often* a password should be changed (the
result of adding the compound probabilities of each form of threat to
its secrecy), I would assert that no password should be permitted to
remain unchanged ad infinatum, no matter how complex or well-guarded
it is.

A reason changing ATM PINs is not as important is that ATM's rely on a
2-factor authenticator.  Someone has to learn the PIN, *and* obtain
the card.  Presuming users can keep tabs on one or the other (ideally
both), the surety can remain sufficiently high.

However, a problem with password stagnation could be cast as a
corollary question: "do you know who else knows your password".  None
of us can answer "yes" with certainty, only probability, because we
may never know if it has been intercepted, we can only hope that it
hasn't.  That surety degrades over time, due to the repetition of
exposures as it is used.

Two such risks of 'secret-leakage' are the old saw, network
eavesdropping, another is user-caused: Using the same password for
their enterprise account as they do on some less-secure service, where
it may be much more subject to interception (also without the user's
knowledge).


David L. Wasley wrote:

> I wonder about the rationale for requiring periodic password changes.
> I believe I understand why it was necessary in the past but is it
> still reasonable?  What is the risk that is mitigated by that
> requirement?
>
> I assume that modern systems
>  - require sufficiently complex passwords to start with
>  - do not allow downloading of the /etc/passwd (or equivalent) file
>  - lock account access after a few failed password attempts
>
> Therefore, guessing a password should prove very difficult and there
> isn't any other way to gain knowledge of it.  Even if you accept that
> it might be guessed, so might the new one.  Therefore why require
> that it be changed?
>
> As to people "sharing" or writing down passwords, they'll just share
> or write down the new one each time.  Thus changing passwords
> periodically does nothing to address this problem of human nature.
>
> If a person becomes aware that their password might have been
> compromised, they should then change their password just as they
> should request a PKI cert be revoked if the private key is
> compromised.
>
> I suppose one could imagine a scenario where an attacker tries a
> dictionary-like attack until the target locks up, waits for it to be
> reopened, and then continues trying.  Assuming the user never wonders
> why their account is continually locking up, the attacker might
> eventually hit on the actual password.  However, requiring the user
> to change their password periodically or even every time the account
> locks up wouldn't guarantee that the attacker would never succeed
> (even if you knew what strings they had already tried some other
> hacker might start again at the beginning).
>
> So can someone define what the rationale might be for requiring
> password changes?
>
> How often do folks change the PIN on their ATM cards?
>
> Thanks,
>        David
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.

--

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- dobbins () nd edu
   Director, Information Security
   University of Notre Dame, Office of Information Technologies
   Voice: 574.631.5554
   ------------------------------------------------------------
   "...mind the gap"

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.