Re: Password Complexity and Aging

["David L. Wasley" <dlwasley () EARTHLINK NET>]

NIST has described a mathematical model for estimating the "entropy
of passwords." See NIST SP800-63, Rev 1, pgs 86-95.
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63-Rev.%201

A companion Excel spreadsheet implements this model so that you can
vary parameters and see their effect on the entropy, according to
this model.
See  http://www.cio.gov/eauthentication/documents/CommonCAP.xls


        David

-----
At 3:52 PM -0700 on 4/13/09, Basgen, Brian wrote:

> Hi Kevin,
>
>  A seemingly small exponential change can make a key space go from
> being possible to brute force in minutes or hours to requiring
> years. For example, look at distributed.net's attempts
> (http://stats.distributed.net/). It would be an interesting
> challenge to construct a scenario with a given rate versus a
> particular key space that would be unlikely to crack in x days, but
> probable to crack in y days. That would be a narrow construct with
> issues, but I'd be interested to see any math that has been worked
> out on this.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College
> Office: 520-206-4873
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin,
> Kevin (mclaugkl)
> Sent: Monday, April 13, 2009 3:15 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Complexity and Aging
>
> The reason is to minimize the effectiveness of Brute Force Attacks.
>
> Maybe if our electric companies had seen the value they wouldn't
> have had foriegn agents install root-kits across most of their
> systems.
>
> Respectfully,
> -Kevin
>
> Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
> Assistant Vice President, Information Security & Special Projects
> University of Cincinnati
> 513-556-9177
>
> ________________________________________
> From: The EDUCAUSE Security Constituent Group Listserv
> [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Karl Heins
> [Karl.Heins () OIST UCSB EDU]
> Sent: Monday, April 13, 2009 5:13 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Complexity and Aging
> Several years ago our external auditors (PWC) made a recommendation to
> change the password aging from 90 to 60 days at one campus and also made a
> recommendation to change the password aging from 60 to 30 days at another
> campus.  The CIO asked me what would be the basis for either the 30 or 60
> days.  This started my interest in this topic.  With over 20 years of IT
> audit experience, including 10 years at a large CPA firm (3 years in the
> national office), and after spending some time on the topic, I was unable
> to identify a good basis for either the 30, 60 or any number of days.  So,
> working with the System wide UC CIO, we looked into our experiences with
> the password aging. With hundreds of systems and many problems with our
> combined experience, we were not able to find a single actual case where
> just aging out a password would have made a difference.  I also challenged
> our auditors PWC to show a basis for their recommendations, no factual
> cases where there would have been a change in results.  As a result I see
> little value in changing passwords just because of the passage of time.
>
> Aging passwords seems like good idea, however there appears little factual
> evidence supporting this effort. While my work was antidotal and lacks the
> rigor of good research, it would help if I could point to a single factual
> case where not aging passwords would have prevented a problem. To date, I
> have no such case.
>
> Don't feel that I am soft on controls or passwords, I consider other
> password controls critical to a good internal control system.  I can point
> to plenty of cases where sharing passwords caused a problem.  Problems that
> cost the organization real dollars of loss.
>
> I also feel that strong passwords are important, I feel that passwords
> should be hashed (not saved in the clear), and that anytime a password
> compromised it should be changed. Password be a good, effective,
> inexpensive control if handled properly.
>
> I realize that the password changing process is a part of every auditor,
> regulator and security person's standard checklist.  I am not oppose to
> changing passwords periodically, I just see very little value in changing
> because the passage of time. An I continue to look for that first case
> where aging would have made a difference.
>
> Respectfully and with an open mind
>
> Karl
>
> ------------------------
> Karl Heins
> Chief Information Security Officer
> University of California, Santa Barbara
> Karl.Heins () oist ucsb edu
> (805) 893-8843