Re: Please do not change your password

["Koerber, Jeff" <jkoerber () TOWSON EDU>]

I agree.  If I can get a list of usernames and know the name of the organization and the password strength policy, I 
could come up with a few likely passwords and try them against every account.  Chances are that I will come across at 
least one account with that password.  The accounts will never get locked out.

If you have a policy where users have to change their password every xx days, then it reduces the amount of time that 
these obvious passwords are in use.


Jeff Koerber
Supervisor, Student Computing Services Lab and Service Desk
Office of Technology Services
Towson University



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve 
Werby
Sent: Thursday, April 15, 2010 11:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Please do not change your password


On 4/14/2010 10:47 AM, Valdis Kletnieks wrote:

On Wed, 14 Apr 2010 09:39:06 EDT, "Jones, Dan" said:





Strong passwords deter brute-forcing attacks (as does the practice of locking

an account after X number of failed login attempts).





Yes, but once the password reaches a not-too-large size, account locking is

quite sufficient to make brute-forcing impractical.

For a vertical attack, perhaps.  But if your usernames are the left-hand side of your email addresses and the attacker 
can scrape email addresses from the web or enumerate your address book, then perform a horizontal or diagonal attack, 
brute force attacks are *very* practical.  GoHok1es or Bl@cksburg?  And I suspect most universities don't have controls 
to detect or mitigate such attacks.  My guess is that more guessed university passwords involve attacks in which the 
attacker isn't too particular about which accounts he acquires passwords to.

I consider the biggest password related failure of the information security community to be that we demand that users 
memorize their passwords (or alternately "don't write them down").  Sure, we don't want them to attach them to their 
monitor or hide them under their keyboard, but do we really believe there's a significant risk if they're kept in their 
wallet inside their pocket and written down in a way that doesn't clearly reveal them?  Or storing them in an encrypted 
password vault?  We're causing them to re-use passwords (http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/) 
or create passwords that follow a similar format, which puts the systems we're trying to protect at significant risk.

Long + unique + write them down securely

Aging?  I agree there's value in limiting the length of time that an attacker has undetected access.  But in terms of 
mitigating a brute force attack, the math just doesn't support extremely frequent aging.
--
Steve Werby
Information Security Officer
Virginia Commonwealth University
VCU Information Security - http://infosecurity.vcu.edu/
News, Tips & More - http://www.twitter.com/vcuinfosec
Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf