Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: "David L. Wasley" <dlwasley () EARTHLINK NET>
Date: Mon, 13 Apr 2009 18:16:04 -0700
NIST has described a mathematical model for estimating the "entropy of passwords." See NIST SP800-63, Rev 1, pgs 86-95. http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63-Rev.%201 A companion Excel spreadsheet implements this model so that you can vary parameters and see their effect on the entropy, according to this model. See http://www.cio.gov/eauthentication/documents/CommonCAP.xls David ----- At 3:52 PM -0700 on 4/13/09, Basgen, Brian wrote:
Hi Kevin, A seemingly small exponential change can make a key space go from being possible to brute force in minutes or hours to requiring years. For example, look at distributed.net's attempts (http://stats.distributed.net/). It would be an interesting challenge to construct a scenario with a given rate versus a particular key space that would be unlikely to crack in x days, but probable to crack in y days. That would be a narrow construct with issues, but I'd be interested to see any math that has been worked out on this. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin, Kevin (mclaugkl) Sent: Monday, April 13, 2009 3:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Complexity and Aging The reason is to minimize the effectiveness of Brute Force Attacks. Maybe if our electric companies had seen the value they wouldn't have had foriegn agents install root-kits across most of their systems. Respectfully, -Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified Assistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177 ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Karl Heins [Karl.Heins () OIST UCSB EDU] Sent: Monday, April 13, 2009 5:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Complexity and Aging Several years ago our external auditors (PWC) made a recommendation to change the password aging from 90 to 60 days at one campus and also made a recommendation to change the password aging from 60 to 30 days at another campus. The CIO asked me what would be the basis for either the 30 or 60 days. This started my interest in this topic. With over 20 years of IT audit experience, including 10 years at a large CPA firm (3 years in the national office), and after spending some time on the topic, I was unable to identify a good basis for either the 30, 60 or any number of days. So, working with the System wide UC CIO, we looked into our experiences with the password aging. With hundreds of systems and many problems with our combined experience, we were not able to find a single actual case where just aging out a password would have made a difference. I also challenged our auditors PWC to show a basis for their recommendations, no factual cases where there would have been a change in results. As a result I see little value in changing passwords just because of the passage of time. Aging passwords seems like good idea, however there appears little factual evidence supporting this effort. While my work was antidotal and lacks the rigor of good research, it would help if I could point to a single factual case where not aging passwords would have prevented a problem. To date, I have no such case. Don't feel that I am soft on controls or passwords, I consider other password controls critical to a good internal control system. I can point to plenty of cases where sharing passwords caused a problem. Problems that cost the organization real dollars of loss. I also feel that strong passwords are important, I feel that passwords should be hashed (not saved in the clear), and that anytime a password compromised it should be changed. Password be a good, effective, inexpensive control if handled properly. I realize that the password changing process is a part of every auditor, regulator and security person's standard checklist. I am not oppose to changing passwords periodically, I just see very little value in changing because the passage of time. An I continue to look for that first case where aging would have made a difference. Respectfully and with an open mind Karl ------------------------ Karl Heins Chief Information Security Officer University of California, Santa Barbara Karl.Heins () oist ucsb edu (805) 893-8843
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Perloff, Jim (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 14)
- Re: Password Complexity and Aging Perloff, Jim (Apr 30)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 30)
(Thread continues...)