Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Morrow Long <morrow.long () YALE EDU>
Date: Mon, 13 Apr 2009 09:21:52 -0400
I agree completely with Doug and Gary. You don't want to have intruders having uninterrupted control of your institutional user accounts for years and years (even if they aren't malicious :-) Not only are there valid security concerns and auditors to worry about, there is far too much liability in terms of IT compliance regulation today to allow an account with single-sign-on access to financial, student and other confidential data remain compromised -potentially forever. Implementing regular password changes will also "flush" out cases where people have been knowingly or unknowingly sharing passwords (often against institutional policy) as they will seek a more stable solution to their "business problem" which requires shared access. I'm also looking towards (and working on) two-factor authentication as an even more secure solution for employees who need to work with highly confidential data. Morrow On Apr 13, 2009, at 8:48 AM, Doug Markiewicz wrote:
We actually didn't have to fight our auditors on expiration at all. I suspect this is because we were more prepared than our auditor. ;) As part of our policy, we included the math to determine the keyspace, along with how long it would take an attacker to brute force the keyspace (lower limit known, as we enforce account lockout after N attempts). This was acceptably long given our number of accounts, and provided no reason for us to enforce a short expiration period.This assumes brute force attacks are the only reason to implement password expiration. Another argument for password expiration is the notion that, over time, passwords get revealed unknowingly and periodic changing helps to mitigate the misuse of those passwords. For example, a user might accidentally type their password into the username field which could have the side effect of logging that password. Granted changing your password 30 days from that point won't stop misuse immediately, but its perhaps a reasonable control? Maybe not. It's an argument we tossed around though. For the most part, we expire passwords to satisfy regulatory obligations not to improve security (with the assumption that ISO 27002 is a model for evaluating vague regulatory requirements). Maybe we get better security along the way, maybe not. As others have said, the important thing is to understanding why you're doing it. I'm happy with where we ended up changing passwords for enterprise apps only. I'll be happier when we implement two-factor auth.
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
- Re: Password Complexity and Aging Barros, Jacob (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Allison Dolan (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Schumacher, Adam J (Apr 13)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Doty, Timothy T. (Apr 13)
- Re: Password Complexity and Aging Karl Heins (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
(Thread continues...)