Educause Security Discussion mailing list archives
Re: Password aging
From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: Wed, 14 Jan 2004 11:22:29 -0800
At 9:57 AM -0800 on 1/14/04, Jere Retzer wrote:
A password is most secure when first established and will become less secure the more it is used. There are many potential avenues that cause this to happen. One of the most significant is that people routinely use the same password for lots of different systems so that if any one is compromised their access is potentially compromised other places as well.
So require that people -not- do this (even if you also require changes, but if you -do- require changes realize that people will be more tempted to do this.) How do you know? Ask? Educate? Check systems under your control? Dunno but I don't think requiring change helps - a naive user would simply change them all to be the new one.
Others include password sharing, sticky notes, dictionary attacks (and systems that don't disable repeated attempts), eavesdropping, etc.
Never send passwords in the clear. In a corporate or campus context, you can ensure this. When a user is at home or elsewhere, well... But you can certainly minimize the eavesdropping exposure. [The one I dislike intensely is the e-commerce site that can send you back your password if you forget it. That capability means that the site can retrieve your clear text password!! Unix systems programmers new better 30 years ago, even if the encryption was weak.]
Each exposure of a password represents a small but finite risk. Sooner or later your number may come up in the lotto.
Yes - but the question is how long? 10,000 monkeys might eventually type the next great American novel. An array of Macintosh dual-CPU G5's can probably crack a 2048 bit asymmetric key pair in 10-20 years. If access management technology can keep ahead of this curve, maybe we're OK. I still suspect that the weak link will be human nature (barring GM humans ;-).
Passwords are frankly lousy security, just as firewalls are lousy but necessary security. The sooner we admit this and start really to focus and spend money on biometric systems the better off we'll be. Yes, current biometric systems are also far from perfect but they will become better as people decide it is important and spend accordingly.
I totally agree that passwords per se are lousy security. I'm just trying to understand the real risks and potential mitigations. I believe the use of biometrics is poorly understood by most people but that is a topic for another thread. David ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging Gary Flynn (Jan 13)
- Re: Password aging Jim Moore (Jan 14)
- Re: Password aging Steve Worona (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
- Re: Password aging Gary Flynn (Jan 14)
- Re: Password aging Dave Koontz (Jan 14)
- Re: Password aging Cal Frye (Jan 15)
- Re: Password aging Gary Dobbins (Jan 15)
- Re: Password aging Dennis Maloney (Jan 16)
- Re: Password aging Gordon D. Wishon (Jan 17)