Re: password aging

[Rick Smith <rick_smith () securecomputing com>]

At 05:57 PM 8/18/98 -0400, Adam Shostack wrote:
>       Various people assert that its a good idea to maintain a
> history of user passwords so that they can't change their password to
> a previous password.  However, I'm having trouble finding a reference
> to this in the literature that examines the issue of how many
> passwords to save and why. 

Another important reference on this topic is a recent "Dilbert" cartoon in
which the "preventer of information services" demanded Dilbert follow
strong password rules (except that Scot Adams let him off easy with as few
as 6 characters).

I think there's an important point here -- people *hate* this stuff. Don't
establish a regimen that relies on incredibly strong reusable passwords
unless you have a highly security conscious and paranoid user community. In
typical situations you might as well recognize out front that people will
write down hard to guess passwords, especially passwords they don't use
constantly and/or get changed regularly.

If strong authentication is essential and you've got a large and diverse
user community (like a bank) then you're better off with one time password
systems. The down side is that systems with hardware based tokens
(SmartCard, SecureID, etc) tend to cost about $100 per seat to install.

Depending on the application you might want to look at authentication based
on public key certificates, and protect them with PINs.

I've been looking at authentication applications a lot recently and it's
interesting that no single technique really fits all applications. Cost and
usability are always essential considerations, and you have to take into
account the potential shortcuts users might take when the system gets in
the way of Real Work.

Rick.
smith () securecomputing com