Firewall Wizards mailing list archives
Re: password aging
From: "Stephen P. Gibbons" <steve () aztech net>
Date: Tue, 01 Sep 1998 01:27:02 -0700
Paul McNabb wrote:
From: "Stephen P. Gibbons" <steve () aztech net> Respectfully, I don't think you've read a word that I've written.Respectfully, I read everything several times before writing a response. The bottom line of all of this is the following: It is absolutely, positively guaranteed that any serious attacker over the age of 12 will be able to determine whether the password is failing the complex checks (yes, I'm VERY familiar with ALL you have mentioned) or if he has stumbled across someone's old or current password.
I disagree. The system that I was proposing would only expose previouslyused passwords. It would _not_ expose passwords in current use. The only way to check a username/password combination in the system that I am talking about is to speak its protocol, and make a login request. All logins are logged (success or failure) and audited, and the account is locked after N attemts without success. Password changes are logged and audited to the same degree. Accounts are currently "locked out" after N unsucessful attempts to change the password. (False, but true enough for a public statement) Granted, the previous policy will need to be rethought.
Any argument to the contrary is an appeal to the entirely discredited "security through obscurity" arguments that are occasionally raised by novices in the security field.
I would hope that I am arguing "security through reasoned thought",not "security through obscurity". You may disagree with me, whithout understanding the system that I have in mind, but please don't imply that I am a novice. Someone raised the topic of password history checking. I posted my (admittedly) disorganized thoughts on the topic, from the point of view of the system that I am currently supporting via changes to code. I really do appreciate the comments, but I think that we've been talking about apples vs. oranges. I won't go into too many details, but (for example) I've been supposing about 10^6 or 10^7 users.
And yes, most users have patterns to their password selections, and knowing one or more can reduce the password namespace dramatically. For example, do you often add digits to the end of your passwords? the beginning? punctuation at the end? swap syllables? use initial or final upper case letters? People DO use patterns when selecting passwords. And if you want to try to limit that, you might as well use a password generation program and enforce a large and random password namespace. It seems it would be better to spend your time making a password generator that made easy-to-remember-yet-complex passwords. All of your fancy checking for "weak" passwords are wonderful! They are meaningful! They are good! They should be used! However, they should be used ONLY for checking passwords against a dictionary or the user's own password history, never against other users' passwords!
This is what we do today.
ANY MECHANISM THAT YOU PROVIDE THAT REVEALS INFORMATION ABOUT ANOTHER USER'S PASSWORD CHOICES IS A SECURITY HOLE!! System wide password histories can never, never, under any circumstances provide any level of additional security!! The one exception is if your users are telling each other their passwords and using that information when changing their own passwords -- a situation that is so bad that no system-wide password history mechanism could hope to provide much help. The instant you install a system-wide password history mechanism, your system is less secure than it was. Stephen may not be able to accept this, but I hope that other security folks on this list avoid system-wide password histories like they would three day old roadkill.
I probably haven't "defended" myself well enough (above) WRT thisdiscussion, but I will fall back on my statement that "one has to look at the system as a whole before drawing conclusions" I asked for feedback, and I thank you for yours, Paul. I think that I probably under-estimated the amount of information that I needed to supply, in order to get useful feedback, and for that I apologize. On the flip-side: Maybe we should just agree to disagree. firewall-wizards is probably sick of hearing the banter, at this point. -- Steve
--------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- Re: password aging Paul McNabb (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- <Possible follow-ups>
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
- Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
- Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
- Re: Re[2]: password aging Michael Shields (Sep 06)
- Re: password aging Paul McNabb (Sep 03)
(Thread continues...)