Educause Security Discussion mailing list archives
Re: Password Expiration
From: "Stewart, Ian" <istewart () UMASSP EDU>
Date: Wed, 12 Apr 2006 14:20:46 -0400
My own experience with frequent password changes and complexity requirements is that it's actually pretty easy to remember pass *phrases* containing spaces, mixed case, and numbers, much easier that trying to construct a complex pass *word*. Remembering a complex pass phrase is as easy to remember as a simple password to me because it makes some sort of sense. A bigger issue for me is whether to use a single password multiple places on the Internet. That's when MS' Passport or Libery-enabled sites make sense to me. -Ian -----Original Message----- From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU] Sent: Tuesday, April 11, 2006 10:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Expiration
Regardless of the origin of the idea (and thanks for that background, too), proponents of password changing can argue that the practice does limit the length of time during which a bad guy can do damage. Now, this may be pointless, since one access may be all it takes to empty out a bank account or do other catastrophic damage, but the argument is made nonetheless. So let's ask the question directly: Since it's inevitable that passwords will fall into the wrong hands, how can we minimize the duration of the exposure?
The best minimization is to use one-time passwords, combined with using trustworthy software and limiting access rights.
One approach is to give the user feedback on recent accesses, hoping that s/he'll notice any illegitimate activity. This also goes back to mainframe days, when many systems' login displays included the timestamp of the previous login. We can extend this idea in two dimensions: First, track not just time, but things like MAC and IP addresses, geographic location, session duration, etc.
Some systems do this, at least partially. However, it is limited to what the OS supports, and the reliability of the information. Some of what you suggest (such as geographic location) cannot be reliably captured. It is also the case that some places where user authentication is performed (e.g., via WWW-based login, or ftp) may not be logged by the OS in the same way. And if an intruder has gained privileged access, the contents of any host-based audit trails and logging -- and thus their display -- should be viewed as suspect.
And, second, automate the process. That is, have the system look for and flag anomalous activity. This may sound familiar: It's a variation on what the credit card companies do to detect fraud.
It is part of what an anomaly-based IDS (or IPS, to use current buzz) system does -- or should do. Not a new idea at all.
So instead of "brain-dead password change policies" (and I'm amazed no one has yet referenced http://www.smat.us/sanity/mordac.jpg), which at best limit the bad guys to weeks or months of illegitimate account access, I wonder if there's any work being done to notice compromised passwords in this or some other way.
Intrusion detection/prevention technologies are oriented towards this problem -- to find intruders using the system without authorization, whether through captured passwords or software flaws. These have varying levels of success depending on system type, access patterns, and so on. The best solution continues to be to keep them out in the first place. One of my favorite Dilbert cartoons ends with the pointy-haired boss saying "...and starting today, all passwords must contain letters, numbers, doodles, sign language and squirrel noises." Sounds familiar to anyone? --spaf
Current thread:
- Re: Password Expiration, (continued)
- Re: Password Expiration Charlie Prothero (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 10)
- Re: Password Expiration Bill Betlej (Apr 10)
- Re: Password Expiration Geoffrey S. Nathan (Apr 10)
- Re: Password Expiration Gene Spafford (Apr 10)
- Re: Password Expiration Harold Winshel (Apr 11)
- Re: Password Expiration Steve Worona (Apr 11)
- Re: Password Expiration David Walker (Apr 11)
- Re: Password Expiration Gene Spafford (Apr 11)
- Re: Password Expiration Stewart, Ian (Apr 12)