Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Stephen John Smoogen <smooge () GMAIL COM>
Date: Sat, 11 Apr 2009 13:17:57 -0600
On Sat, Apr 11, 2009 at 10:08 AM, Geoff Nathan <geoffnathan () wayne edu> wrote:
I'll second Roger and Valdis' comments about the religious nature of this debate. I tried to educate our auditors and failed, and indeed they had expiry of ancient account passwords in mind as a driving force. So far there haven't been many loud squawks, but we're only into our second 180 days. What has been troublesome is the fact that we're going to have to limit the use of non-alphanumeric characters because of issues with Oracle, so we're actually dumbing down our requirements.
Yes.. I think the biggest reason that changing passwords to fight last centuries fights are various business/educational applications that one can't fix or change because of business requirements. Having to deal with applications that only allow a password to have a 'search space' of 64 characters and limited to a length of 8 not only makes guessing easier. Combine that with people using the same password everywhere and you end up with a fight that most sane people would think was 'won' ten years ago. Of course dealing with staff/academics who quote Spaffords papers as gospel and you end up with the opposite cargo cult. Having his papers quoted and brought up as reasons why a professor or staff member can't have freebird as their password is maddening.
We've also had a fight about whether the actual complexity restrictions should be on a public page or not (some folks seem to believe it's a security risk). As long as we're going with 'industry standard' (minimum
Heh... know that one.. dealt with it since time immemorial or so I think. The truth is it is a security risk. So is allowing people to log in and turning on the computer. The bigger threat is the fact that you probably tell people that you have some Oracle application. An informed attacker is going to know that will limit the space already. He will also know that a large percentage of people are going to choose a password like [A-Z][a-z][a-z][0-9[:punct:]][a-z][a-z][a-z][0-9[:punct:]]. His attack will then be focused on seeing where he can combine those two at various gateways around campus and then just slow scan until he gets lucky. But as Valdis pointed out he probably just set up some facebook pages, a couple of phishing emails etc and gotten in by the time his scanner has gotten in. And most of the time what the attacker will be looking for is bank account numbers, research and thesis papers he can sell elsewhere and open proxies for people who want to get into some 'online only library'. Anyway, I think the education of the auditor/paranoid is that as long as some department says on a web page 'We are using Xanner Student Records or XYZ Oracle Apps' a potential attacker will know more about your password strength than a page that says only . / are the only usable special characters.
eight, at least one cap, at least one non-letter, not the same as the last one, 180 days) we're not giving out 'the keys to the kingdom', I think we're not usefully hiding anything, but it looks like I'm losing that fight too. Geoffrey S. Nathan Faculty Liaison, C&IT, Policy Coordinator and Associate Professor, Linguistics Program +1 (313) 577-1259 (C&IT) +1 (313) 577-8621 (English/Linguistics)
-- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
Current thread:
- Password Complexity and Aging Matthew Giannetto (Apr 09)
- <Possible follow-ups>
- Re: Password Complexity and Aging Tupker, Mike (Apr 09)
- Re: Password Complexity and Aging Eric Case (Apr 09)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 10)
- Re: Password Complexity and Aging Stanclift, Michael (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
- Re: Password Complexity and Aging Barros, Jacob (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Allison Dolan (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Schumacher, Adam J (Apr 13)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 13)
(Thread continues...)