Educause Security Discussion mailing list archives
Re: Password aging
From: "Gordon D. Wishon" <gwishon () ND EDU>
Date: Sat, 17 Jan 2004 09:26:13 -0500
Thanks, Dennis. As you can tell, a lot of people have an interest in this topic. This information will be very helpful as we prepare our Effective Practices Guide.... Gordon Wishon At 04:04 PM 1/16/2004 -0700, Dennis Maloney wrote:
Dan Updegrove, et al, In response to your inquiry about studies on password aging, I asked our IT Auditor (Jim.Dillon () cusys edu) for this thoughts/research. Attached you will find what Jim provided. The information helps provide a context for discussion using bona fide studies; of course the studies help fuel more discussion. Dennis -----Original Message----- From: Jim Dillon [mailto:Jim.Dillon () cusys edu] Sent: Monday, January 12, 2004 8:51 PM To: Dennis Maloney Subject: Password Study and other Info You requested Dennis, Attached are several documents on password formulation. A couple may come close to meeting your original request. The Password_Tech_Rpt file is a Cambridge study trying to validate "myths" regarding password complexity and password effectiveness. It is the closest and you should look it over. The html file "Internet Security Advisor ..." is a good dialogue on password issues you may find helpful. The link below to the OWASP guide V1.1.1 pdf will lead you to a recommendation by this group about web application security and password standards. It appears to be based on research/consortium type recommendation, and there is a version 2 draft out, but I couldn't get it to download. Pages 16-19 or so discuss password management recommendations, and they are the typical 3 hardening factors/8 character recommendation. This is a fairly current, relevant, and ongoing project so it may be worth some consideration. Also attached are a couple of "general security control" guidelines that are good for describing "defense in depth" and standard security recommendations. The NIST one is self explanatory, doesn't give specifics on passwords, but is useful in framing discussions on security. The IIA document is sponsored by the even less techie non-IT standard audit organization the IIA. It has a lot of standard audit speak and dialogue, a bunch of case studies, and best of all it references the standards from which it builds its authority. The list of standards at the end is good, and it might be a reasonable management level read on security. I thought they might be useful for someone looking to discuss passwords as a topic. Finally, I would use the BS 7799 standard ( I have a good audit standard/checklist on this, from SANS actually), COBIT, SANS whitepapers, Center for Internet Security, GASSP (I think this acronym has changed recently) and other such resources for my basis for recommended practice. These tend to by Higher Ed, research projects, security organizations, or large standards organizations, so rather than bad mouth auditors, folks should realize that it is standards groups that probably set the tone for an audit recommendation. These usually consist of higher ed research and business partnerships. If you understand all those things and their implications, you can formulate a reasoned password standard as part of your defense in depth controls. That can't be done by simply quoting a standard, it takes some back and forth, give and take, and situational awareness. I would always be open to reasoned arguments that take that approach in defining adequate password rules. I still think password changing is a good idea, although as I stated before, I don't subscribe to the 30/60/90 day arguments, I think business cycles better represent the risk/opportunity environment of the business. They reflect employee/customer activity and trends, and those ought to be the cycles under discussion. Changing a password reduces its life-cycle risk. A password's potential to be attacked is greater if it is longer lived. Not much value to changes for just this reason, as the next will also be attacked in short order. Changing a password reminds/educates end users to be aware of security considerations and to protect their identity, keys, credentials, etc. It reminds folks that they should consider their contribution to security environment regularly, ongoing - its not a one time and you're done thing. This has greater value to me. Changing a password can defeat and eliminate a broken/breached password sooner than might otherwise be discovered. If an attacker is acting stealthily and simply using a broken password to gain access, changing may close that channel. This has some value. Changing a password may cause loggable events or have side-effects that bring administrators' attention to unusual situations. That has some value. None of these is enough by itself, but the whole seems to create a more secure practice. Anyway, I hope this helps. See attached as you wish. Best regards, Jim ====================================== Jim Dillon, CISA IT Audit Manager University of Colorado jim.dillon () cusys edu Phone: 303-492-9734 Dept. Phone: 303-492-9730 Fax: 303-492-9737 ====================================== ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
- Re: Password aging Gary Flynn (Jan 14)
- Re: Password aging Dave Koontz (Jan 14)
- Re: Password aging Cal Frye (Jan 15)
- Re: Password aging Gary Dobbins (Jan 15)
- Re: Password aging Dennis Maloney (Jan 16)
- Re: Password aging Gordon D. Wishon (Jan 17)