Security Basics mailing list archives
RE: Minimum password requirements
From: "Ed Spencer" <espencer () usa net>
Date: Fri, 23 Jul 2004 15:42:45 -0800
It's apparent that everyone agrees with using strong passwords (I left it out of my original reply, but I was only addressing the items mentioned) and that if there are means to enforce it they be used (if policy warrants their use) ie. Passflt.dll. It's apparent that the main discussion is primarily on the need for password aging and some have even offered possible brute force calculations for reasons NOT to age passwords. Here are a couple things to consider: 1. If you're brute forcing a password it should be OOB (out of band). In other words, you're not guessing against the system. This is the reason most systems lock you out for a period of time (or until a reset of some kind - usually by an administrator) when you fail your password 3 times (give or take). Most systems also have a system of progressively longer and longer wait times between passwords when they are guessed incorrectly making in-band brute forcing/guessing of passwords inconvenient and overly time consuming. 2. If you're attempting to brute a password OOB you're making much more than 1 attempt per second. Even with a couple cheap pc's ($300 or less) you can split the hash and pick up most passwords within a couple days - a week or two at the outside (depending on password strength and if you use a good dictionary or simply guess all possibilities). Admittedly there are occasions where it may take longer, but these are usually the exception and not the rule. I've seen DoD documents that discuss password aging and they use guessing against the system as means to determine password age. While this may be practical for some systems, brute force against the system isn't the only means used to break passwords on systems. 3. If you don't age passwords you don't have to change them. Passwords should be changed on a semi-regular basis because they are compromised. Keep in mind that brute force isn't the only way to compromise a password, shoulder surfing and other methods cause passwords to become compromised. Are there any real world examples on why to age passwords? In my opinion, it only takes one practical example with a high likelihood of occurrence to make it necessary. As I said in number 3 above - brute force isn't the only way a password becomes compromised. Shoulder surfing, putting the password in scripts (not recommended but I've seen it) and other means happen far too often and the end user may not be aware that the password has been compromised. Forcing password aging means that if someone is 'borrowing' the credentials that they have to find the 'new' password when it ages and is forced to change. If you want more information on password use I recommend the following documents: Agency Document Number Date Title DoD CSC-STD-002-85 Apr-85 Password Management Guideline - Green Book NIST FIPS 112 May-85 Password Usage (Part 1) NIST FIPS 112 May-85 Password Usage (Part 2) NIST FIPS 181 Oct-93 Automated Password Generator NIST SP 800-12 Oct-95 An Introduction To Computer Security: The NIST Handbook Password aging is a tool like any other. This is why I recommend 90 days for password aging of standard user accounts, 30,45, or 60 days on admin or privileged accounts (depending on frequency of use). I use the shorter times on privileged accounts because these users are more technically savvy and are less likely to write down passwords. If you give end users examples of easy ways to make strong passwords they don't have to write them down on post-it notes. It's even possible to make Pa$$w0rD a strong password if you pick the proper changes. Educating the end user in not just the policy (do it, it's policy) but how to abide to the spirit of the policy is often part of the job. Implementing technology is easy - working through the quagmire of politics and other human elements is usually the most difficult part of the job. Just another log on the fire in this heated discussion... Ed Spencer MCSE/MCT/CNA/A+/Network+/Security+ Network Administrator Aramark Corporation - Denali National Park. -----Original Message----- From: dmargoli () stwing org [mailto:dmargoli () stwing org] Sent: Thursday, July 22, 2004 10:40 AM To: security-basics () securityfocus com Subject: Re: Minimum password requirements Steve wrote:
We can discuss/argue all day long, but if you don't age passwords then
you
will fail almost any IT portion of an audit from an independent
auditing
organization.
Fair enough, but that doesn't really explain *why* it makes sense (or even if it does). If your business requires certification by an auditor who requires that measure, fine. Perfectly understandable. But that doesn't mean there's a good reason for such a practice (and I contend that there is not).
Real world example, a few departed employees had not been disabled in
our
domain, their accounts were automatically disabled. The auditors had
no
issues with that.
I never argued against disabling inactive accounts. I think that's a very good idea and support it completely. I argued against password ageing. ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004 --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Minimum password requirements, (continued)
- RE: Minimum password requirements Hamish Stanaway (Jul 19)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements dmargoli (Jul 22)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- RE: Minimum password requirements Dave Dyer (Jul 26)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
- RE: Minimum password requirements Ed Spencer (Jul 26)
- Re: Minimum password requirements dmargoli (Jul 22)
- RE: Minimum password requirements Andrew Aris (Jul 23)
- RE: Minimum password requirements Jeremy Novak (Jul 26)
- Re: Minimum password requirements Jonathan Loh (Jul 26)
- Re: Minimum password requirements Gethin Jones (Jul 26)