Educause Security Discussion mailing list archives
Re: Password aging
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 14 Jan 2004 18:07:50 -0500
David L. Wasley wrote:
At 9:57 AM -0800 on 1/14/04, Jere Retzer wrote:Others include password sharing, sticky notes, dictionary attacks (and systems that don't disable repeated attempts), eavesdropping, etc.
...and public (or your friends', relatives', or hacker controlled) computers harboring keystroke loggers.
Never send passwords in the clear. In a corporate or campus context, you can ensure this. When a user is at home or elsewhere, well... But you can certainly minimize the eavesdropping exposure.
But there are problems other than cleartext passwords. Windows LM hashes and the wireless/IPSEC/VPN hash exposures recently discussed on various lists come to mind. Having a hash may be as good as having a cleartext password if the (admittedly poor) password is in a hashed dictionary.
Each exposure of a password represents a small but finite risk. Sooner or later your number may come up in the lotto.Yes - but the question is how long? 10,000 monkeys might eventually type the next great American novel. An array of Macintosh dual-CPU G5's can probably crack a 2048 bit asymmetric key pair in 10-20 years.
Or it might get lucky on its first guess. People do win the lottery.
Passwords are frankly lousy security, just as firewalls are lousy but necessary security. The sooner we admit this and start really to focus and spend money on biometric systems the better off we'll be. Yes, current biometric systems are also far from perfect but they will become better as people decide it is important and spend accordingly.I totally agree that passwords per se are lousy security.
One could go so far as to say that passwords and cryptographic secrets are just another form of "security by obscurity". Not that there is anything wrong with that. Synonyms are "need to know" and compartmentalization. There are very few absolutes in security.
I'm just trying to understand the real risks and potential mitigations.
A lot depends upon the value of what you are trying to protect and typical behavior of your users. Barring a complete risk assessment with its attendant subjective ratings of threat probabilities and values, we are left with following best practices.
I believe the use of biometrics is poorly understood by most people but that is a topic for another thread.
I would personally be concerned about a compromise of my binary encoded finger or retina print. It would be pretty hard to change. But I guess they could be hashed with a changeable key. But then we would have to address the question of how often that hash key should be changed. :) -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging Steve Worona (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
- Re: Password aging Gary Flynn (Jan 14)
- Re: Password aging Dave Koontz (Jan 14)
- Re: Password aging Cal Frye (Jan 15)
- Re: Password aging Gary Dobbins (Jan 15)
- Re: Password aging Dennis Maloney (Jan 16)
- Re: Password aging Gordon D. Wishon (Jan 17)