RE: password aging

["KirkAdams" <Kirk-Adams () email msn com>]

Well.. my old days might help on this one. Here's my $0.02 and I TOTALLY
agree with the gentlemen on the CC line,

OLD RULES,

1) Maintain a password listing of six prior passwords. Do not allow
personnel to use the same password for more than 30 days or any password on
the list.
*This implies that a password must be at least 7 months old to be recycled.*

2) Ensure passwords do not consist of birthdays or names or initials or
combinations thereof.

3) Passwords may not be written down.

4) etc.. etc..

        Right...  good luck!!

That said.. here's my advice..

First, Carefully evaluate your information security need. What needs
protected? Who needs access? How much are you willing to spend in time and
money to protect it?

Second, NO ONE picks a hard to remember password. This automatically reduces
or elimates their value. Therefore assign passwords.

Third, a password works best (against casual hacking) if it is cryptic.. ie.
case sensitive upper/lower and letter/number combinations of at least 10
characters. However.. these are too long for most people to remember and so
get written down. If it's written down you've broken a major security rule
and it's likely other people will (at some point) read the password.
Therefore, you must keep them at about 6 chars (do not include symbols) and
INSIST that a written password is grounds for serious consequences, even
termination.

Fourth, if you change passwords every 30 days they'll be written down again.
BUT, a password in use for more than 30 days gives anyone trying to hack
their way into a system more time to work with the same password.. so you
must compromise. If you assign a new password every 75 days this gives you
about 5 passwords a year and still keeps the troops from getting sloppy.

Fifth, You must implement a password attempt tracking system. Keep log files
and lock out accounts after 3 wrong password attempts. Monitor for unusual
activity.

The above requires ALOT of work to maintain so make sure you evaluate the
need for tight security before implementing a system that consumes lots of
time. If you do implement.. make sure you support it with sufficient staff.
Without maintenance the system will quickly break down again. For increased
security you can just increase the # of chars in password or decrease the #
of days the password is valid.

The maximum security this provides is relative to the fact that it is
"password" based. For greater security implement software encryption. For
still GREATER security implement hardware encryption.

Good luck,

Kirk Adams


> -----Original Message-----
> From: owner-firewall-wizards () nfr net
> [mailto:owner-firewall-wizards () nfr net]On Behalf Of Adam Shostack
> Sent: Tuesday, August 18, 1998 5:57 PM
> To: firewall-wizards () nfr net
> Subject: password aging
>
>
>       Various people assert that its a good idea to maintain a
> history of user passwords so that they can't change their password to
> a previous password.  However, I'm having trouble finding a reference
> to this in the literature that examines the issue of how many
> passwords to save and why.  The lime green book (password management)
> says not to let the user use their previous password, but doesn't go
> into storing a history.
>
>       Does anyone know of a paper on, or that discusses, this topic,
> and how or why to pick various values of N?
>
> Adam
-----Original Message-----
From: owner-firewall-wizards () nfr net
[mailto:owner-firewall-wizards () nfr net]On Behalf Of Paul McNabb
Sent: Friday, August 28, 1998 12:13 PM
To: steve () aztech net
Cc: firewall-wizards () nfr net
Subject: Re: password aging


But this doesn't work either.  You have to assume that your users
have an idea of what a "well formed password" is.  If they don't,
I suspect you'll have a lot of unhappy users who struggle with
finding an acceptable password.  Certainly an attacker will know
or can find out what is well formed.  If a password is rejected
it will be fairly easy to determine why.
*SNIP*
paul

>  From steve () aztech net  Fri Aug 28 09:49:49 1998
>
>  System-wide password histories shouldn't be used unless
>  you are also doing dictionary/pattern checks.  Given those
>  constraints, and the soundex + hashing that I mentioned in
>  my previous message, it will be difficult for an end-user to
>  determine exactly why their new password choice was
>  rejected by the system. Your example of "sleepy7" could
>  have been rejected at any stage of the "sanity checks".
>  The specific reason for rejecting the new password should
>  not be reported to the user, they only need to be told that
>  the new password is probably weak.
*SNIP*
>  >
>  > The moral?  NEVER, NEVER, NEVER USE SYSTEM WIDE PASSWORD HISTORIES!!

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------