RE: A doable frequent password change policy?

["Largacha Lamela, Daniel" <dlargac () mapfre com>]

Hi Everybody, first of all you have to be sure of the value of what you
want to protect. Second you should apply enough controls (among your
polic) that assure no one can guess users passwords. An this is not just
about how frecuency password changes, it is also password length,
technology used and additional security controls as automatic user
blocking. Think about your objective, having a password policy which
assure a very low probability on guessing passwords (if you have proper
security controls you will bring this probability as residual risk,
because there is always a chance that a person guess some other person
password just being lucky)

For example lets think you have a business web application, with the
following password policy:

 - eight length character (at least)
 - Strong composition (numbers, text, non dictionary composed, pointing
signs,...etc) -> you assure that 128 characters are used in every
password position
 - 90 days frecuency changing

Also you have controls so you can guarantee than no more than 5 attempts
can be done over an hour (perhaps blocking user account for an hour at 5
failed tries). So that max numbers of authentication tries are about 120
a day. These are 10800 passwords over our 90 day period, which suppose a

1,43 *10^-13 (10.800 / 72.057.594.037.927.936 - the compete universe of
8 based passwords) of probability guessing a password

In conclusion you can set a balanced password policy which provides you
enough security, just not relaying only in frecuency password user
change.

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
En nombre de gjgowey () tmo blackberry net
Enviado el: martes, 03 de julio de 2007 22:10
Para: krymson () gmail com; listbounce () securityfocus com;
security-basics () securityfocus com
Asunto: Re: A doable frequent password change policy?

Don't forget the most weakness of any password system: users writing
down their password on a postit note and putting it on their monitor or
keyboard.  It's funny when I mention this to clients and then all of a
sudden they realize why everyone has a postit note on their monitor or
keyboard x< (doh!)

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: krymson () gmail com

Date: 2 Jul 2007 19:33:19 
To:security-basics () securityfocus com
Subject: Re: A doable frequent password change policy?


A few things. First of all, lots and lots of less intelligent people
than you are already under such policies, and don't seem to have too
much of a problem with them, so I think you'll survive. :) It is
accepted that most people will do the bare minimum to get past a
password policy, such as leaving the last digit of a password a number
and just incrementing it each month. You'll have to assume that every
password on your network is infinite if you don't have a policy that
changes them. I mean, that's the only level of security you can
guarantee, no?


Second, what compliance do you have to meet? The regs of that compliance
may be your answer, no matter what your users thinks. :)


I think password shifting every 60 days and effectively not keeping
history (for instance, inability to reuse the last 200 passwords) seems
to me to be an acceptable policy these days. True, you can still crack
those hashes quickly, but we're talking about risk management in this
case. Changing them is far better than infinite passwords, as even the
act of changing them may expose failed attempts and thus unauthorized
use.


For Cisco, is the information they are protecting really that important
that they should enforce password changes? Honestly, while password
changing and history enforcement are accepted with systems on a network
under your control, I can't actually think of any websites I go to that
have a similar policy. They have instead decided their internal workings
(hash, database, encryption) is powerful enough, so they just protect
against password guessing (one would hope!). But for a local network,
can you ensure no one has pilfered your hashes at some point? Likewise,
do you have a captive audience? If so, impose that policy if it means
your users have a more protected network and thus a more protected
income and life! (Websites might turn off some users with stringent
password policies, meaning they don't have a captive audience...blah
blah blah)



<- snip ->

Yes I am aware of the importance of advising users on changing their

passwords frequently, be it their AD passwords or passwords on other

independent applications (ERP) etc.


But I don't want to enforce a policy that comes crashing down. I

personally, cannot keep changing my password every month making sure
that

it differs from the last two in history (at least).


Even Cisco on it's CCO account only makes it's users aware that their

password hasn't been changed for quite some time and giving them an
option

of either changing it or just do a 'No Thanks' option and carry on with

their old password. This sounds like a doable compliance to me.


Your thoughts??