Re: password aging

["Stephen P. Gibbons" <steve () aztech net>]

Paul McNabb wrote:

> >  From: "Stephen P. Gibbons" <steve () aztech net>
> >
> >  Respectfully, I don't think you've read a word that I've written.
>
> Respectfully, I read everything several times before writing a response.
>
> The bottom line of all of this is the following:
>
> It is absolutely, positively guaranteed that any serious attacker over
> the age of 12 will be able to determine whether the password is failing
> the complex checks (yes, I'm VERY familiar with ALL you have mentioned)
> or if he has stumbled across someone's old or current password.

I disagree.  The system that I was proposing would only expose
previouslyused passwords. It would _not_ expose passwords in current use.
The only
way to check a username/password combination in the system that I am
talking about is to speak its protocol, and make a login request.  All
logins are
logged (success or failure) and audited, and the account is locked after N
attemts without success.

Password changes are logged and audited to the same degree.  Accounts
are currently "locked out" after N unsucessful attempts to change the
password.  (False, but true enough for a public statement)

Granted, the previous policy will need to be rethought.

> Any argument to the contrary is an appeal to the entirely discredited
> "security through obscurity" arguments that are occasionally raised
> by novices in the security field.

I would hope that I am arguing "security through reasoned thought",not
"security through obscurity".  You may disagree with me, whithout
understanding the system that I have in mind, but please don't imply
that I am a novice.

Someone raised the topic of password history checking.  I posted
my (admittedly) disorganized thoughts on the topic, from the point of
 view of the system that I am currently supporting via changes to code.

I really do appreciate the comments, but I think that we've been
talking about apples vs. oranges.  I won't go into too many details,
but (for example) I've been supposing about 10^6 or 10^7 users.

> And yes, most users have patterns to their password selections, and
> knowing one or more can reduce the password namespace dramatically.
> For example, do you often add digits to the end of your passwords?
> the beginning? punctuation at the end? swap syllables? use initial
> or final upper case letters?  People DO use patterns when selecting
> passwords.  And if you want to try to limit that, you might as well
> use a password generation program and enforce a large and random
> password namespace.  It seems it would be better to spend your time
> making a password generator that made easy-to-remember-yet-complex
> passwords.
>
> All of your fancy checking for "weak" passwords are wonderful!  They
> are meaningful!  They are good!  They should be used!
>
> However, they should be used ONLY for checking passwords against a
> dictionary or the user's own password history, never against other
> users' passwords!

This is what we do today.

> ANY MECHANISM THAT YOU PROVIDE THAT REVEALS INFORMATION ABOUT ANOTHER
> USER'S PASSWORD CHOICES IS A SECURITY HOLE!!
>
> System wide password histories can never, never, under any circumstances
> provide any level of additional security!!  The one exception is if your
> users are telling each other their passwords and using that information
> when changing their own passwords -- a situation that is so bad that no
> system-wide password history mechanism could hope to provide much help.
>
> The instant you install a system-wide password history mechanism, your
> system is less secure than it was.
>
> Stephen may not be able to accept this, but I hope that other security
> folks on this list avoid system-wide password histories like they would
> three day old roadkill.

I probably haven't "defended" myself well enough (above)  WRT
thisdiscussion, but I will fall back on my statement that "one has to look
at the system as a whole before drawing conclusions"

I asked for feedback, and I thank you for yours, Paul.  I think that I
probably under-estimated the amount of information that I needed to
supply, in order to get useful feedback, and for that I apologize.

On the flip-side: Maybe we should just agree to disagree.

firewall-wizards is probably sick of hearing the banter, at this point.

--
Steve

> ---------------------------------------------------------
> Paul McNabb                     Argus Systems Group, Inc.
> Vice President and CTO          1809 Woodfield Drive
> mcnabb () argus-systems com        Savoy, IL 61874 USA
> TEL 217-355-6308
> FAX 217-355-1433                "Securing the Future"
> ---------------------------------------------------------