Educause Security Discussion mailing list archives

Re: Password Complexity and Aging

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Tue, 14 Apr 2009 14:56:06 +1200

On 11/04/2009, at 7:54 AM, Valdis Kletnieks wrote:

On Fri, 10 Apr 2009 13:51:17 CDT, Roger Safian said:

This is basically, IMHO, a religious debate.  There's no right or
wrong answer.
Password aging has its uses.  Password length and complexity have
their uses
as well.  The problem becomes balancing the security needs of your
organization
against the threats you face.


I have *no* problems with an organization saying "We've thought
about it, and
password aging solves real and actual *current* problem XYZ for
us" (for
example, if you're using that as a proxy for disabling unused
accounts - which
*is* a good thing).  It's all the sites that are implementing
password aging to
solve last century's issues without thinking about the *current*
issues.


I'm generally not in favour of regular password changes, however as
Roger and Valdis both point out, there are problems that they go some
way to mitigating.  If you don't have something in place to make sure
people's credentials are revoked when they leave password ageing will
help, albeit after a potentially long time.  Another argument for
password ageing is that it shortens the useful life of credentials
that have been compromised.  There was recently a case that went
through the courts here where an employee was approving false invoices
from her husband's firm -- they got away with it for two years until
they got too greedy.  A key part of the scheme was that the woman had
managed to get a co worker to reveal here password and used this
account to provide the second approval needed to make the payments.
Had the co-worker been forced to change their password every 90 days
the losses would have been a few hundred dollars rather than several
tens of thousands.

My personal belief is that things like financial approval should be
protected by two factor authentication and that administrative
mechanisms should be in place to disable credential when folk leave
thus rendering these arguments for password ageing void.

I do think that everyone should change their password at least once a
year, simply as a way of reminding people that passwords are important
and it also gives a point of contact each year where people can be
directed to new policies that have come into force or ones that have
changed since they last changed their password.

Russell

Current thread:

Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Perloff, Jim (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 14)
- Re: Password Complexity and Aging Perloff, Jim (Apr 30)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 30)
- Re: Password Complexity and Aging Vedda, Michael (Mike) (Apr 30)
- Re: Password Complexity and Aging randy marchany (Apr 30)

(Thread continues...)