Re: Please do not change your password

[Justin Sherenco <jsherenco () EMICH EDU>]

Understandably the paper is geared toward consumer accounts.  However, now
that this has hit mainstream media how soon do you think our user
community will through this back at us (faculty love NPR)?  In a way it
does apply to us after all our students could be considered a consumer.
We offer them e-mail as well as a big mix of self-service features.

My original statement about the creation of password expiration
policies/standards still stand (I think).  Originally they were created to
help mitigate brute force or sniffing (passwords transmitted in clear
text) attacks.  In the past year I have seen two instance of brute force
attacks that were successful.  It was because the administrators were not
enforcing password or failed log in attempt standards.  So the traditional
password cracking technique are still used and successfully if not
mitigated.

> From an intuitional aspect a good deal of the malware we've been fighting
on campus has some type of key logging aspect to it.  In most cases the
user isn't even aware that their machine is infected until we tell them
(we know through IDS, Virus consol, but mostly through traffic analysis).
If we didn't tell the user they would be waiting until the next time their
password expires.  So I tend to agree that expiring passwords every
30,60,90 days is not doing much to protect the user or our data.



Regards,
Justin

-------------------------------------
Justin Sherenco
Security Analyst
734-487-8574
Easten Michigan University
http://it.emich.edu/security


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Porter
Sent: Wednesday, April 14, 2010 10:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password

On Wed, 14 Apr 2010, Doty, Timothy T. wrote:

> You say that passwords are no longer cracked? Then read up on the
compromise
> the Apache folks had where the database of (unsalted) hashed passwords
was
> obtained by the hackers. That is only a single case, but it is very
recent
> and IMO very relevant. Those 8-char passwords are little better than
plain
> text in such a situation.

An unsalted password is not a good choice and does not prove
anything with regard to the current discussion.  And in any case, it
is well understood that access to the hashed passwords can easily
lead to a compromise.  While longer passwords are harder to crack,
once you have the hashes, it really becomes a matter of how much
money you can afford to throw at the problem - or how many bots you
have that you can set to chewing on the problem.

So, yes, getting access to the hashed passwords is a gold mine, but
most compromises are phishes, other forms of social engineering, or
keyloggers installed via socially engineering viruses (ohhh!  I have
a package, must install this .exe to find out about it), or hacked
websites.

A few weeks ago, the website for a local paper was hacked.  It is
the sort of paper that most local politicians or their assistants
would read.  If they had unpatched systems, many of the local
politicians could have had their passwords stolen and access to
their email be had by those who wanted it.  This could have made for
a nice package of information for someone willing to pay for it and
make use of it locally.  However, most likely the accounts were just
harvested for spam and credit card info.  But, in any case, password
length and lifetime does not figure into equation very well.

> If the bad guys "just worked around" passwords why would they care to
obtain
> a hash list? The argument is short sighted and misses the value of
defense
> in depth.

Mike

Mike Porter
Systems Programer V
IT/NSS
University of Delaware

> Tim Doty
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
> > Sent: Wednesday, April 14, 2010 8:43 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Please do not change your password
> >
> > Have there been any studies recently that have identified the net
> > effects of "long passwords" or passphrases?....or complex passwords?
> > Before coming to higher ed, I came from the "sensitive" Fed sector -
> > and they used 8-char passwords that were generated for you -
> > upper/lower case, and one number, (and they used a cool little routine
> > in the password generator that made the passwords "pseudo-
> > pronounceable" so that they were easier to remember.)
> >
> > I also remember asking why they weren't required to use passwords that
> > were longer, more complex, etc - and the answer was: "Passwords keep
> > honest people honest - the vast majority (if not all) of compromised
> > accounts have not come about by the way of 'cracked passwords' - they
> > have come about by the capturing or surrendering of legitimate
> > passwords.  Captured through malware or bogus websites - Surrendered
> > through phishing or social engineering means."  I was skeptical until I
> > started doing some research on my own - and I couldn't find more than
> > 1-2 obscure instances where a password was actually 'cracked' - most
> > were cases where passwords were immaterial, and the system was
> > compromised by "going around the password" altogether.
> >
> > So - this does beg the question - even though longer passwords are
> > theoretically harder to "crack", who cares....the bad guys are just
> > going to go around them anyway....?
> >
> > Thoughts?  And thanks for the discussion....
> >
> > Michael
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig
> > Sent: Wednesday, April 14, 2010 7:27 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Please do not change your password
> >
> > Unlikely that it'll change the audit book.
> >
> > Nor should it, necessarily.  The study is really predicated on consumer
> > accounts, and doesn't address duty of care issues for data custodians,
> > among other things.  I've rarely seen that mentioned over the last five
> > months' discussion, since the paper was published.
> >
> > One particularly acute point on this topic is the paper's assertion
> > that financial fraud loses the use nothing.  While true for some
> > financial accounts situations for personal accounts, that is
> > demonstrably not true for US commercial online bank accounts (see
> > Krebsonsecurity.com for many examples), and as I recall isn't true for
> > all personal banking accounts in other countries.
> >
> > All that said, it's a goodish paper, and we've all known that passwords
> > are horrid for well over a decade, but substantial progress on password
> > replacement is pretty poor, overall.
> >
> >     -jml
> >
> >
> > -----Original Message-----
> > From: Justin Sherenco
> > Sent: 2010-04-14 08:04:59
> > To: Justin Sherenco;The EDUCAUSE Security Constituent Group Listserv
> > Cc:
> > Subject: [SECURITY] Please do not change your password
> >
> >
> > Hello,
> >
> > I came across an interesting article on password changes.  Author
> > Cormac
> > Herley of Microsoft makes a good case albeit just a cost-benefit
> > analysis.
> > I had to go back and think of why these types of policies were created
> > in
> > the first place.  I came to my own conclusion that they were created
> > before the days of complex password (passphrase) enforcement and the
> > ability to automatically lock out accounts after X amount of failed
> > log-in
> > attempts.
> >
> >
> >
> > Do you think he can convince the auditors?
> >
> >
> >
> >
> >
> >
> > <http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_
> > not
> > _change_your_password/?page=full>
> > http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_n
> > ot_
> > change_your_password/?page=full
> >
> >
> >
> > Regards,
> >
> > Justin
> >
> >
> >
> >
> >
> > -------------------------------------
> >
> > Justin Sherenco
> >
> > Security Analyst
> >
> > 734-487-8574
> >
> > Easten Michigan University
> >
> > http://it.emich.edu/security
> >
> >
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.

-
Mike Porter
PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2