Re: Password aging

[Gary Flynn <flynngn () JMU EDU>]

David L. Wasley wrote:
> At 9:57 AM -0800 on 1/14/04, Jere Retzer wrote:
>
> > Others include password sharing, sticky notes, dictionary attacks
> > (and systems that don't disable repeated attempts), eavesdropping, etc.

...and public (or your friends', relatives', or hacker controlled)
computers harboring keystroke loggers.

> Never send passwords in the clear.  In a corporate or campus context,
> you can ensure this.  When a user is at home or elsewhere, well...
> But you can certainly minimize the eavesdropping exposure.

But there are problems other than cleartext passwords. Windows LM
hashes and the wireless/IPSEC/VPN hash exposures recently discussed
on various lists come to mind. Having a hash may be as good as
having a cleartext password if the (admittedly poor) password is
in a hashed dictionary.

> > Each exposure of a password represents a small but finite risk. Sooner
> > or later your number may come up in the lotto.
>
> Yes - but the question is how long?  10,000 monkeys might eventually
> type the next great American novel.   An array of Macintosh dual-CPU
> G5's can probably crack a 2048 bit asymmetric key pair in 10-20
> years.

Or it might get lucky on its first guess. People do win the
lottery.

> > Passwords are frankly lousy security, just as firewalls are lousy but
> > necessary security. The sooner we admit this and start really to focus
> > and spend money on biometric systems the better off we'll be. Yes,
> > current biometric systems are also far from perfect but they will become
> > better as people decide it is important and spend accordingly.
>
> I totally agree that passwords per se are lousy security.

One could go so far as to say that passwords and cryptographic
secrets are just another form of "security by obscurity". Not
that there is anything wrong with that. Synonyms are "need
to know" and compartmentalization. There are very few absolutes
in security.

> I'm just
> trying to understand the real risks and potential mitigations.

A lot depends upon the value of what you are trying to protect
and typical behavior of your users. Barring a complete risk
assessment with its attendant subjective ratings of threat
probabilities and values, we are left with following best
practices.

> I believe the use of biometrics is poorly understood by most people
> but that is a topic for another thread.

I would personally be concerned about a compromise of my binary
encoded finger or retina print. It would be pretty hard to change.
But I guess they could be hashed with a changeable key. But then we
would have to address the question of how often that hash key
should be changed. :)

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.