Firewall Wizards mailing list archives
RE: password aging
From: Rick Smith <rick_smith () securecomputing com>
Date: Mon, 31 Aug 1998 11:26:43 -0500
At 12:19 AM 8/30/98 -0400, KirkAdams wrote:
First, Carefully evaluate your information security need. What needs protected? Who needs access? How much are you willing to spend in time and money to protect it?
Yes, yes.
Second, NO ONE picks a hard to remember password. This automatically reduces or elimates their value. Therefore assign passwords.
Easy to guess passwords are less of a problem in an environment where you can detect password guessing. They lose the most in situations where you can't detect password guessing (i.e. downloaded Unix password file) if the password is the only thing protecting the system from serious threats. For example, if the system is a private LAN and remote login isn't possible, then easy to guess passwords are less of a concern. Safe combinations and PINs are like that, too. So you can tailor this choice to the particular environment.
Third, a password works best (against casual hacking) if it is cryptic.. ie. case sensitive upper/lower and letter/number combinations of at least 10 characters. However.. these are too long for most people to remember and so get written down. If it's written down you've broken a major security rule and it's likely other people will (at some point) read the password. Therefore, you must keep them at about 6 chars (do not include symbols) and INSIST that a written password is grounds for serious consequences, even termination.
Although this sort of statement is in accordance with established traditions in computer security, I think it's time to look at it seriously and declare it unrealistic. This has descended from the ancient days when computer use was the domain of highly trained experts. Back then we could demand that people do difficult, counterintuitive things. After all, we had to memorize all those absurd commands and all the funny little characters that went with them, so it didn't seem like much to have us memorize some more mumbo jumbo. Times have changed. In the olden days we could ignore the lessons of human engineering and demand behavior that depends on highly unreliable methods of human computer interaction. It doesn't work that way any more. There's no point in requiring that people use hard to remember passwords and at the same time demand that they never write them down. Their jobs depend on writing them down -- they can't get any work done if they lose their password. On the other hand, if no "preventer of information services" (as they said in Dilbert) ever figures out they've written the password down, then they're OK. Even if they do, so what? The IS department really doesn't have that much power in most organizations, especially when it comes to security rules. They can be disruptive, but they can't really force a policy on the rest of the organization.
Fourth, if you change passwords every 30 days they'll be written down again. BUT, a password in use for more than 30 days gives anyone trying to hack their way into a system more time to work with the same password.. so you must compromise. If you assign a new password every 75 days this gives you about 5 passwords a year and still keeps the troops from getting sloppy.
Even if you get people to NOT write down cryptic passwords the first couple of times, they'll tire of this game and eventually start writing the new ones down. I find I have to write a cryptic password down the first time I see it since my short term memory tends to drop it before I have a chance to memorize it. Maybe that's the reason I use a handheld password token for some purposes and a fingerprint scanner for others.
Fifth, You must implement a password attempt tracking system. Keep log files and lock out accounts after 3 wrong password attempts. Monitor for unusual activity.
Tracking of bad passwords should be the second step, not the fifth. The purpose of the lockout is to involve a live human (some IS representative) after "too many" password failures have occurred. Strictly speaking, the setting should allow thumb fingered people to make a few mistakes while always capturing attempts to try a handful of "likely" passwords. If you're working with novel techniques (like fingerprint scanners) then you need a higher tolerance of password failures. Rick. smith () securecomputing com
Current thread:
- Re: password aging Paul McNabb (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- <Possible follow-ups>
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
- Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
- Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
- Re: Re[2]: password aging Michael Shields (Sep 06)
- Re: password aging Paul McNabb (Sep 03)
- Re: password aging Stephen P. Gibbons (Sep 06)