Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Wed, 14 Apr 2010 09:58:12 -0500
A rather simplistic answer posted to a Yahoo group, I must admit. We are talking as though this is the only line of defense in the toolbox. And while there are better solutions out there, we see far too many instances where they are not deployed. Which brings us back to the password issue. And frequently, it doesn't take key-loggers or social reconnaissance exercises to extract this information. Remember, the vast majority of attacks occur from within. Executives are notorious for not wanting to change passwords. So, over time, lots of folks gain potential access by simply knowing what the CFO/COO/CEO password is. Not to mention the casual 'password pick-up' by simply listening to folks or even shoulder-surfing. (which means folks are very likely not paying attention to their surroundings they way they should). Security awareness is also crucial to some success here as well. I estimate (based on a lot of years working with all types of clients) that fewer than 7% do a reasonable job at security awareness training. There is no one specific reason for this - I can't say it is due primarily to one thing over another. Corporate 'check-boxing' certainly plays a role in it. Universities have their own unique issues to deal with here, which I won't even attempt to elaborate upon - you know situation well enough already. The bottom line remains the fact that regulatory bodies mandate it. The article failed to mention this. The users will be asking 'why' for while. You folks had better things to do than respond to users on this issue. Chris Null didn't do you any favors. Paul ======================================== Paul L. Kendall, CGEIT, CHS-III, CISM, CISSP, CSSLP Accudata Systems, Inc. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Porter Sent: Wednesday, April 14, 2010 9:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your password On Wed, 14 Apr 2010, Paul Kendall wrote:
Password changes also stop a practice that was not mentioned here - corporate espionage. If I have an executive or middle management userid and password, I can snoop on the system, steal email and other files, and in general make life interesting. In addition, I can go undetected (if I am careful) for as long as the password is valid. Frequent password changes help stop this practice, which is a lot more common than you might think.
Changing the password accomplishes little unless the method used for obtaining the password is also fixed. If the user responded to a phish, will they fall for it again? If they have a keylogger installed, won't it just log the new password? Last login and location of login is a valuble tool for combating the above scenario. Login auditing and location checking can also raise security alerts. In short, there are better ways to deal with this than forcing the user to change their password from Afk04kbg to Afk05kbg once every month. ... Mike Mike Porter Systems Programmer V IT/NSS University of Delaware
Paul ======================================== Paul L. Kendall, PhD, CGEIT, CHS-III, CISM, CISSP, CSSLP Accudata Systems, Inc. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig Sent: Wednesday, April 14, 2010 8:27 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Please do not change your password Unlikely that it'll change the audit book. Nor should it, necessarily. The study is really predicated on consumer accounts, and doesn't address duty of care issues for data custodians, among other things. I've rarely seen that mentioned over the last five months' discussion, since the paper was published. One particularly acute point on this topic is the paper's assertion that financial fraud loses the use nothing. While true for some financial accounts situations for personal accounts, that is demonstrably not true for US commercial online bank accounts (see Krebsonsecurity.com for many examples), and as I recall isn't true for all personal banking accounts in other countries. All that said, it's a goodish paper, and we've all known that passwords are horrid for well over a decade, but substantial progress on password replacement is pretty poor, overall. -jml -----Original Message----- From: Justin Sherenco Sent: 2010-04-14 08:04:59 To: Justin Sherenco;The EDUCAUSE Security Constituent Group Listserv Cc: Subject: [SECURITY] Please do not change your password Hello, I came across an interesting article on password changes. Author Cormac Herley of Microsoft makes a good case albeit just a cost-benefit analysis. I had to go back and think of why these types of policies were created in the first place. I came to my own conclusion that they were created before the days of complex password (passphrase) enforcement and the ability to automatically lock out accounts after X amount of failed log-in attempts. Do you think he can convince the auditors? <http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not _change_your_password/?page=full> http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_ change_your_password/?page=full Regards, Justin ------------------------------------- Justin Sherenco Security Analyst 734-487-8574 Easten Michigan University http://it.emich.edu/security
- Mike Porter PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA 2F D2 37 F3 99 ED D1 C2
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
- Re: Please do not change your password Valdis Kletnieks (Apr 14)
- Re: Please do not change your password Basgen, Brian (Apr 14)
- Re: Please do not change your password Allison Dolan (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password Jeff Kell (Apr 14)
- Re: Please do not change your password Jacob Steelsmith (Apr 14)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Paul Kendall (Apr 15)
- Re: Please do not change your password Bob Bayn (Apr 15)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
(Thread continues...)