Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Jacob Steelsmith <jsteelsmith () EVERETTCC EDU>
Date: Wed, 14 Apr 2010 09:26:03 -0700
This is an interesting article, as well as an interesting discussion. The article seems to deal with one or two fairly specific areas of concern, but applying the conclusion to the entire area of IT security. The author fails to recognize that there is a difference between security for a website that requires a login, and an enterprise level infrastructure requiring secure access. Security is certainly not dependent on one policy or procedure, but is the result of all policy. We experienced a security breach which highlighted several failures in policy, all pertaining to different aspects of security. An administrative password was obtained through an open share, which was used to gain access to a staff member's computer who had a password protected spreadsheet that contained other passwords. The security on the spreadsheet was quickly dispensed with and older administrative accounts were used to access servers. The compromise was quickly mitigated at that point. There were obviously several serious security breaches in this incident, and some critical failing of policy. However, access to the servers could have been mitigated had there been a policy in place that forced password changes. Forcing a password change does not stop all security threats, such as malware, social engineering, or users posting their passwords on their monitors. Those threats need to be mitigated through other policy such as anti-virus and controlling user rights, and training. However, forcing a password change, as mentioned in this discussion, can mitigate specific instances such as the individual consistently gaining "silent" access to another user's personal files or email, or as mentioned, a ill placed password repository containing the passwords of older active administrator accounts. Is forcing a password change the only defense? No. Could other security measures and policies have stopped the fore-mentioned security breach? Absolutely. Is the fact that one policy is not enough to stop all breaches enough to warrant the dissolution of that policy? Of course it isn't. Anti-virus is costly and can be time consuming to install and maintain, it slows a user's computer and probably costs the user in time. However, it doesn't always stop all malware, especially new malware, does little for internal security, and may not stop attacks such as XSS. However, no security professional or researcher, especially from Microsoft, would recommend doing away with anti-virus. Complex password requirements keep users from using passwords that are easily guessed by scripts such as "apples" or their user name. Forcing a password change mitigates some threats, and running anti-virus mitigates others. Training and enforced personnel policy are very important in containing the the social engineering set of threats. Log and traffic monitoring, alerting, and manual inspection are also very important. No one measure will stop all security threats and all security cost users in time and convenience. In my opinion, this is not enough of a reason to do away with security measures, especially in an enterprise environment. Jacob Steelsmith Information Technology Everett Community College
Justin Sherenco <jsherenco () EMICH EDU> 4/14/2010 6:04 AM >>>
Hello, I came across an interesting article on password changes. Author Cormac Herley of Microsoft makes a good case albeit just a cost-benefit analysis. I had to go back and think of why these types of policies were created in the first place. I came to my own conclusion that they were created before the days of complex password (passphrase) enforcement and the ability to automatically lock out accounts after X amount of failed log-in attempts. Do you think he can convince the auditors? <http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not _change_your_password/?page=full> http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_ change_your_password/?page=full Regards, Justin ------------------------------------- Justin Sherenco Security Analyst 734-487-8574 Easten Michigan University http://it.emich.edu/security
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
- Re: Please do not change your password Valdis Kletnieks (Apr 14)
- Re: Please do not change your password Basgen, Brian (Apr 14)
- Re: Please do not change your password Allison Dolan (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password Jeff Kell (Apr 14)
- Re: Please do not change your password Jacob Steelsmith (Apr 14)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Paul Kendall (Apr 15)
- Re: Please do not change your password Bob Bayn (Apr 15)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)
(Thread continues...)