RE: password aging

[Rick Smith <rick_smith () securecomputing com>]

At 12:19 AM 8/30/98 -0400, KirkAdams wrote:

> First, Carefully evaluate your information security need. What needs
> protected? Who needs access? How much are you willing to spend in time and
> money to protect it?

Yes, yes.

> Second, NO ONE picks a hard to remember password. This automatically reduces
> or elimates their value. Therefore assign passwords.

Easy to guess passwords are less of a problem in an environment where you
can detect password guessing. They lose the most in situations where you
can't detect password guessing (i.e. downloaded Unix password file) if the
password is the only thing protecting the system from serious threats. For
example, if the system is a private LAN and remote login isn't possible,
then easy to guess passwords are less of a concern. Safe combinations and
PINs are like that, too.

So you can tailor this choice to the particular environment.

> Third, a password works best (against casual hacking) if it is cryptic.. ie.
> case sensitive upper/lower and letter/number combinations of at least 10
> characters. However.. these are too long for most people to remember and so
> get written down. If it's written down you've broken a major security rule
> and it's likely other people will (at some point) read the password.
> Therefore, you must keep them at about 6 chars (do not include symbols) and
> INSIST that a written password is grounds for serious consequences, even
> termination.

Although this sort of statement is in accordance with established
traditions in computer security, I think it's time to look at it seriously
and declare it unrealistic.

This has descended from the ancient days when computer use was the domain
of highly trained experts. Back then we could demand that people do
difficult, counterintuitive things. After all, we had to memorize all those
absurd commands and all the funny little characters that went with them, so
it didn't seem like much to have us memorize some more mumbo jumbo.

Times have changed. In the olden days we could ignore the lessons of human
engineering and demand behavior that depends on highly unreliable methods
of human computer interaction. It doesn't work that way any more.

There's no point in requiring that people use hard to remember passwords
and at the same time demand that they never write them down. Their jobs
depend on writing them down -- they can't get any work done if they lose
their password. On the other hand, if no "preventer of information
services" (as they said in Dilbert) ever figures out they've written the
password down, then they're OK. Even if they do, so what? The IS department
really doesn't have that much power in most organizations, especially when
it comes to security rules. They can be disruptive, but they can't really
force a policy on the rest of the organization.

> Fourth, if you change passwords every 30 days they'll be written down again.
> BUT, a password in use for more than 30 days gives anyone trying to hack
> their way into a system more time to work with the same password.. so you
> must compromise. If you assign a new password every 75 days this gives you
> about 5 passwords a year and still keeps the troops from getting sloppy.

Even if you get people to NOT write down cryptic passwords the first couple
of times, they'll tire of this game and eventually start writing the new
ones down. I find I have to write a cryptic password down the first time I
see it since my short term memory tends to drop it before I have a chance
to memorize it. Maybe that's the reason I use a handheld password token for
some purposes and a fingerprint scanner for others.

> Fifth, You must implement a password attempt tracking system. Keep log files
> and lock out accounts after 3 wrong password attempts. Monitor for unusual
> activity.

Tracking of bad passwords should be the second step, not the fifth.

The purpose of the lockout is to involve a live human (some IS
representative) after "too many" password failures have occurred. Strictly
speaking, the setting should allow thumb fingered people to make a few
mistakes while always capturing attempts to try a handful of "likely"
passwords. If you're working with novel techniques (like fingerprint
scanners) then you need a higher tolerance of password failures.

Rick.
smith () securecomputing com