Re: password aging

[Paul McNabb <mcnabb () argus-systems com>]

>  From: "Stephen P. Gibbons" <steve () aztech net>
>  
>  Respectfully, I don't think you've read a word that I've written.

Respectfully, I read everything several times before writing a response.

The bottom line of all of this is the following:

It is absolutely, positively guaranteed that any serious attacker over
the age of 12 will be able to determine whether the password is failing
the complex checks (yes, I'm VERY familiar with ALL you have mentioned)
or if he has stumbled across someone's old or current password.

Any argument to the contrary is an appeal to the entirely discredited
"security through obscurity" arguments that are occasionally raised
by novices in the security field.

And yes, most users have patterns to their password selections, and
knowing one or more can reduce the password namespace dramatically.
For example, do you often add digits to the end of your passwords?
the beginning? punctuation at the end? swap syllables? use initial
or final upper case letters?  People DO use patterns when selecting
passwords.  And if you want to try to limit that, you might as well
use a password generation program and enforce a large and random
password namespace.  It seems it would be better to spend your time
making a password generator that made easy-to-remember-yet-complex
passwords.

All of your fancy checking for "weak" passwords are wonderful!  They
are meaningful!  They are good!  They should be used!

However, they should be used ONLY for checking passwords against a
dictionary or the user's own password history, never against other
users' passwords!

ANY MECHANISM THAT YOU PROVIDE THAT REVEALS INFORMATION ABOUT ANOTHER
USER'S PASSWORD CHOICES IS A SECURITY HOLE!!

System wide password histories can never, never, under any circumstances
provide any level of additional security!!  The one exception is if your
users are telling each other their passwords and using that information
when changing their own passwords -- a situation that is so bad that no
system-wide password history mechanism could hope to provide much help.

The instant you install a system-wide password history mechanism, your
system is less secure than it was.

Stephen may not be able to accept this, but I hope that other security
folks on this list avoid system-wide password histories like they would
three day old roadkill.

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------