Re: Current Best Practice regarding Password Change policy

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

I agreed with this line of thinking in 199[78], before watching intruders hand-code password-recording trojaned 
versions of sshd and ssh on rooted UNIX systems during the course of an investigation.  The code did a nice job of 
host/client/account/password capture and loggin, which was *way* more efficient than the ad-hoc telnet/pop/ftp packet 
sniffers of the day.  

In the current environment of rampant keyloggers and man-in-the-browser crimeware, I'm completely over the line of 
thinking that the best way to get credentials is to attack a server's store of them.  I think the bad guys have pretty 
much moved on, as well.

Grudgingly, I come to agreement with the Standard Audit Advice, though not for the reasons it was written in the first 
place.

I see it as a hygienic measure; way to reap compromised credentials *eventually*, rather than letting them go on 
indefinitely, somewhat sooner rather than later for some classes of accountholders.  Given how easy it is to steal 
credentials client-side, you may actually force a change before it gets used (due to the size of the pile of booty), 
though I certainly wouldn't depend on that.  

I don't know whether that puts me on the white or black side of the issue.  :-)

   -jml

> > > Roger Safian <r-safian () NORTHWESTERN EDU> 2010-09-24 09:31 >>>
I'd suggest that password aging should be based on the risk that somebody
could obtain, and crack, the password hashes.  It's not a 
black and white issue, regardless of what the Auditors, Spaf, or I say about
it.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Friday, September 24, 2010 7:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Current Best Practice regarding Password Change
policy

On Fri, 24 Sep 2010 08:28:02 EDT, Barbara Deschapelles said:

> We currently require all, Students, Faculty and Staff, to change 
> passwords every 90 days and we are enforcing unique passwords (no 
> repeats). This is a relatively new requirement here and we are getting 
> a lot of push back on the change.  I'd like to get a feel for what 
> people accept as current best practice for password change intervals 
> and other related policies, and also, if it is different than the best 
> practice what people are actually doing (if you wish to share that :-)

There's "what everybody is doing because auditors insist" and "what actually
makes sense in today's computing environment".  Make sure to read what Gene
Spafford wrote about it:

http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ 
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/ 

(Anybody want to publicly admit they were able to sell the auditors on what
Spaf said, and managed to eliminate mandatory changes?)