Re: Password Expiration

["Stewart, Ian" <istewart () UMASSP EDU>]

My own experience with frequent password changes and complexity
requirements is that it's actually pretty easy to remember pass
*phrases* containing spaces, mixed case, and numbers, much easier that
trying to construct a complex pass *word*. Remembering a complex pass
phrase is as easy to remember as a simple password to me because it
makes some sort of sense.

A bigger issue for me is whether to use a single password multiple
places on the Internet. That's when MS' Passport or Libery-enabled sites
make sense to me.

-Ian

-----Original Message-----
From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU] 
Sent: Tuesday, April 11, 2006 10:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Expiration

> Regardless of the origin of the idea (and thanks for that  
> background, too), proponents of password changing can argue that  
> the practice does limit the length of time during which a bad guy  
> can do damage. Now, this may be pointless, since one access may be  
> all it takes to empty out a bank account or do other catastrophic  
> damage, but the argument is made nonetheless. So let's ask the  
> question directly: Since it's inevitable that passwords will fall  
> into the wrong hands, how can we minimize the duration of the  
> exposure?

The best minimization is to use one-time passwords, combined with  
using trustworthy software and limiting access rights.

> One approach is to give the user feedback on recent accesses,  
> hoping that s/he'll notice any illegitimate activity. This also  
> goes back to mainframe days, when many systems' login displays  
> included the timestamp of the previous login.
> We can extend this idea in two dimensions: First, track not just  
> time, but things like MAC and IP addresses, geographic location,  
> session duration, etc.

Some systems do this, at least partially.  However, it is limited to  
what the OS supports, and the reliability of the information.    Some  
of what you suggest (such as geographic location) cannot be reliably  
captured.  It is also the case that some places where user  
authentication is performed (e.g., via WWW-based login, or ftp) may  
not be logged by the OS in the same way.  And if an intruder has  
gained privileged access, the contents of any host-based audit trails  
and logging -- and thus their display --  should be viewed as suspect.

>  And, second, automate the process. That is, have the system look  
> for and flag anomalous activity. This may sound familiar: It's a  
> variation on what the credit card companies do to detect fraud.

It is part of what an anomaly-based IDS (or IPS, to use current buzz)  
system does -- or should do.  Not a new idea at all.

> So instead of "brain-dead password change policies" (and I'm amazed  
> no one has yet referenced http://www.smat.us/sanity/mordac.jpg),  
> which at best limit the bad guys to weeks or months of illegitimate  
> account access, I wonder if there's any work being done to notice  
> compromised passwords in this or some other way.

Intrusion detection/prevention technologies are oriented towards this  
problem -- to find intruders using the system without authorization,  
whether through captured passwords or software flaws.   These have  
varying levels of success depending on system type, access patterns,  
and so on.  The best solution continues to be to keep them out in the  
first place.


One of my favorite Dilbert cartoons ends with the pointy-haired boss  
saying "...and starting today, all passwords must contain letters,  
numbers, doodles, sign language and squirrel noises."    Sounds  
familiar to anyone?

--spaf