Re: Please do not change your password

[Paul Kendall <PKendall () ACCUDATASYSTEMS COM>]

How many 'magic bullets' have we seen come down the line over the years that would 'do away with passwords'?

The severe limitations of the paper will of course be lost on the average user, who will turn up the noise factor for a 
while. Just what you needed.

"SOX, PCI, and other regulatory requirements mandate frequent password changes. If your company is obligated under a 
federal or industry regulatory practice, they have to comply. Therefore, those of you who are complaining about 
increased password changes should realize that the IT department probably did not think it up on its own; regulatory 
mandate required it.

Password changes also stop a practice that was not mentioned here - corporate espionage. If I have an executive or 
middle management userid and password, I can snoop on the system, steal email and other files, and in general make life 
interesting. In addition, I can go undetected (if I am careful) for as long as the password is valid. Frequent password 
changes help stop this practice, which is a lot more common than you might think.

This study is generally useless, since it does not appear to have looked at more than a limited stratum of password 
issues. Thanks a lot Chris Null. IT people have it hard enough right now as it is. This article will add to their 
grief, and in most cases, they cannot do anything about it because they live under regulatory mandate. You could have 
at least mentioned that." (My Yahoo comment on the article this morning...)

Paul
========================================
Paul L. Kendall, PhD, CGEIT, CHS-III, CISM, CISSP, CSSLP
Accudata Systems, Inc.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Ladwig
Sent: Wednesday, April 14, 2010 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password

Unlikely that it'll change the audit book.

Nor should it, necessarily.  The study is really predicated on consumer accounts, and doesn't address duty of care 
issues for data custodians, among other things.  I've rarely seen that mentioned over the last five months' discussion, 
since the paper was published.

One particularly acute point on this topic is the paper's assertion that financial fraud loses the use nothing.  While 
true for some financial accounts situations for personal accounts, that is demonstrably not true for US commercial 
online bank accounts (see Krebsonsecurity.com for many examples), and as I recall isn't true for all personal banking 
accounts in other countries.

All that said, it's a goodish paper, and we've all known that passwords are horrid for well over a decade, but 
substantial progress on password replacement is pretty poor, overall.

    -jml


-----Original Message-----
From: Justin Sherenco
Sent: 2010-04-14 08:04:59
To: Justin Sherenco;The EDUCAUSE Security Constituent Group Listserv
Cc: 
Subject: [SECURITY] Please do not change your password


Hello,

I came across an interesting article on password changes.  Author Cormac
Herley of Microsoft makes a good case albeit just a cost-benefit analysis.
I had to go back and think of why these types of policies were created in
the first place.  I came to my own conclusion that they were created
before the days of complex password (passphrase) enforcement and the
ability to automatically lock out accounts after X amount of failed log-in
attempts. 

 

Do you think he can convince the auditors?  

 

 

 
<http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not
_change_your_password/?page=full>
http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_
change_your_password/?page=full

 

Regards,

Justin

 

 

-------------------------------------

Justin Sherenco

Security Analyst

734-487-8574

Easten Michigan University

http://it.emich.edu/security