Re: Password aging

["Gordon D. Wishon" <gwishon () ND EDU>]

Thanks, Dennis.  As you can tell, a lot of people have an interest in this
topic.  This information will be very helpful as we prepare our Effective
Practices Guide....

Gordon Wishon

At 04:04 PM 1/16/2004 -0700, Dennis Maloney wrote:
> Dan Updegrove, et al,
>
> In response to your inquiry about studies on password aging, I asked our IT
> Auditor (Jim.Dillon () cusys edu) for this thoughts/research.  Attached you
> will find what Jim provided.  The information helps provide a context for
> discussion using bona fide studies; of course the studies help fuel more
> discussion.
>
> Dennis
>
> -----Original Message-----
> From: Jim Dillon [mailto:Jim.Dillon () cusys edu]
> Sent: Monday, January 12, 2004 8:51 PM
> To: Dennis Maloney
> Subject: Password Study and other Info You requested
>
> Dennis,
>
> Attached are several documents on password formulation.  A couple may come
> close to meeting your original request.  The Password_Tech_Rpt file is a
> Cambridge study trying to validate "myths" regarding password complexity and
> password effectiveness.  It is the closest and you should look it over.  The
> html file "Internet Security Advisor ..." is a good dialogue on password
> issues you may find helpful.  The link below to the OWASP guide V1.1.1 pdf
> will lead you to a recommendation by this group about web application
> security and password standards.  It appears to be based on
> research/consortium type recommendation, and there is a version 2 draft out,
> but I couldn't get it to download.  Pages 16-19 or so discuss password
> management recommendations, and they are the typical 3 hardening factors/8
> character recommendation.  This is a fairly current, relevant, and ongoing
> project so it may be worth some consideration.
>
> Also attached are a couple of "general security control" guidelines that are
> good for describing "defense in depth" and standard security
> recommendations.  The NIST one is self explanatory, doesn't give specifics
> on passwords, but is useful in framing discussions on security.  The IIA
> document is sponsored by the even less techie non-IT standard audit
> organization the IIA.  It has a lot of standard audit speak and dialogue, a
> bunch of case studies, and best of all it references the standards from
> which it builds its authority.  The list of standards at the end is good,
> and it might be a reasonable management level read on security.  I thought
> they might be useful for someone looking to discuss passwords as a topic.
>
> Finally, I would use the BS 7799 standard ( I have a good audit
> standard/checklist on this, from SANS actually), COBIT, SANS whitepapers,
> Center for Internet Security, GASSP (I think this acronym has changed
> recently) and other such resources for my basis for recommended practice.
> These tend to by Higher Ed, research projects, security organizations, or
> large standards organizations, so rather than bad mouth auditors, folks
> should realize that it is standards groups that probably set the tone for an
> audit recommendation.  These usually consist of higher ed research and
> business partnerships.
>
> If you understand all those things and their implications, you can formulate
> a reasoned password standard as part of your defense in depth controls.
> That can't be done by simply quoting a standard, it takes some back and
> forth, give and take, and situational awareness.  I would always be open to
> reasoned arguments that take that approach in defining adequate password
> rules.
>
> I still think password changing is a good idea, although as I stated before,
> I don't subscribe to the 30/60/90 day arguments, I think business cycles
> better represent the risk/opportunity environment of the business.  They
> reflect employee/customer activity and trends, and those ought to be the
> cycles under discussion.
>
> Changing a password reduces its life-cycle risk.  A password's potential to
> be attacked is greater if it is longer lived.  Not much value to changes for
> just this reason, as the next will also be attacked in short order.
> Changing a password reminds/educates end users to be aware of security
> considerations and to protect their identity, keys, credentials, etc.  It
> reminds folks that they should consider their contribution to security
> environment regularly, ongoing - its not a one time and you're done thing.
> This has greater value to me.  Changing a password can defeat and eliminate
> a broken/breached password sooner than might otherwise be discovered.  If an
> attacker is acting stealthily and simply using a broken password to gain
> access, changing may close that channel.  This has some value.  Changing a
> password may cause loggable events or have side-effects that bring
> administrators' attention to unusual situations.  That has some value.  None
> of these is enough by itself, but the whole seems to create a more secure
> practice.
>
> Anyway, I hope this helps.  See attached as you wish.
>
> Best regards,
>
> Jim
>
> ======================================
> Jim Dillon, CISA
> IT Audit Manager
> University of Colorado
> jim.dillon () cusys edu
> Phone: 303-492-9734
> Dept. Phone: 303-492-9730
> Fax: 303-492-9737
> ======================================
>
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.