Educause Security Discussion mailing list archives

Re: Please do not change your password

From: Jacob Steelsmith <jsteelsmith () EVERETTCC EDU>
Date: Wed, 14 Apr 2010 09:26:03 -0700

This is an interesting article, as well as an interesting discussion. The article seems to deal with one or two fairly
specific areas of concern, but applying the conclusion to the entire area of IT security. The author fails to recognize
that there is a difference between security for a website that requires a login, and an enterprise level infrastructure
requiring secure access. Security is certainly not dependent on one policy or procedure, but is the result of all
policy.

We experienced a security breach which highlighted several failures in policy, all pertaining to different aspects of
security. An administrative password was obtained through an open share, which was used to gain access to a staff
member's computer who had a password protected spreadsheet that contained other passwords. The security on the
spreadsheet was quickly dispensed with and older administrative accounts were used to access servers. The compromise
was quickly mitigated at that point.

There were obviously several serious security breaches in this incident, and some critical failing of policy. However,
access to the servers could have been mitigated had there been a policy in place that forced password changes. Forcing
a password change does not stop all security threats, such as malware, social engineering, or users posting their
passwords on their monitors. Those threats need to be mitigated through other policy such as anti-virus and controlling
user rights, and training.

However, forcing a password change, as mentioned in this discussion, can mitigate specific instances such as the
individual consistently gaining "silent" access to another user's personal files or email, or as mentioned, a ill
placed password repository containing the passwords of older active administrator accounts. Is forcing a password
change the only defense? No. Could other security measures and policies have stopped the fore-mentioned security
breach? Absolutely. Is the fact that one policy is not enough to stop all breaches enough to warrant the dissolution of
that policy? Of course it isn't.

Anti-virus is costly and can be time consuming to install and maintain, it slows a user's computer and probably costs
the user in time. However, it doesn't always stop all malware, especially new malware, does little for internal
security, and may not stop attacks such as XSS. However, no security professional or researcher, especially from
Microsoft, would recommend doing away with anti-virus.

Complex password requirements keep users from using passwords that are easily guessed by scripts such as "apples" or
their user name. Forcing a password change mitigates some threats, and running anti-virus mitigates others. Training
and enforced personnel policy are very important in containing the the social engineering set of threats. Log and
traffic monitoring, alerting, and manual inspection are also very important.

No one measure will stop all security threats and all security cost users in time and convenience. In my opinion, this
is not enough of a reason to do away with security measures, especially in an enterprise environment.

Jacob Steelsmith
Information Technology
Everett Community College

Justin Sherenco <jsherenco () EMICH EDU> 4/14/2010 6:04 AM >>>

Hello,

I came across an interesting article on password changes.  Author Cormac
Herley of Microsoft makes a good case albeit just a cost-benefit analysis.
I had to go back and think of why these types of policies were created in
the first place.  I came to my own conclusion that they were created
before the days of complex password (passphrase) enforcement and the
ability to automatically lock out accounts after X amount of failed log-in
attempts. 

 

Do you think he can convince the auditors?  

 

 

 
<http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not
_change_your_password/?page=full>
http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_
change_your_password/?page=full

 

Regards,

Justin

 

 

-------------------------------------

Justin Sherenco

Security Analyst

734-487-8574

Easten Michigan University

http://it.emich.edu/security

Current thread:

Re: Please do not change your password, (continued)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
- Re: Please do not change your password Valdis Kletnieks (Apr 14)
- Re: Please do not change your password Basgen, Brian (Apr 14)
- Re: Please do not change your password Allison Dolan (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password Jeff Kell (Apr 14)
- Re: Please do not change your password Jacob Steelsmith (Apr 14)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Paul Kendall (Apr 15)
- Re: Please do not change your password Bob Bayn (Apr 15)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)

(Thread continues...)