Re: Password aging

[Dan Updegrove <updegrove () MAIL UTEXAS EDU>]

Colleagues,

Is anyone aware of bona fide, recent studies of the impact on security of
password aging policy? This is to say, we hear of lore, anecdote, and
(obsolete?) regs from auditors, but are there any useful studies?

Why change a password (more frequently)?
- Password doesn't conform to robustness criteria
- User deliberately shared it with someone
- User didn't protect it (post-it note, etc.)
- Unencrypted pswd used from an insecure location (wireless, public kiosk,
shared ethernet)
- User used same password in dubiously-secure domain (Hotmail, Amazon, NY
Times, et al.)
- Password file known to be breached

Why keep same password?
- New pswds often forgotten:
        > indiv productivity loss, dept service degraded, help desk costs
increase
- To avoid forgetting, new pswds may be written down
- To avoid forgetting, less-than-robust pswds may be selected

The reasons for changing can be reduced to two broad categories:
- Can the password be guessed or discovered by brute force techniques?
- Is the password known by someone else (co-worker, family member, rogue
sys admin on a local or remote system, cracker)?

Preventing the selection of "trivial" passwords is the preferred response
to the first problem. Many of us do this, imposing varying levels of
complexity on password selection.

The second problem is much thornier, and is exacerbated by a requirement to
select a "tough" password: If someone else knows your password, then a new
password that's algorithmically-related to the prior one is suspect. So, of
course, is reverting to a previously-used password. The user is thus
challenged to select or invent a complex, quite random password string, and
this process is often done on-the-fly while thinking about something else
-- needing to logon to authorize a purchase order, read email, etc. If the
University has multiple systems, with varying rules about password length
and robustness, the user hassle factor is large, and the likelihood of a
call to the help desk is high. So, too, is the likelihood of writing down
passwords, or using the same password for all systems -- including remote
systems outside the University.

This leads some of us to conclude that any system that depends solely on
passwords is inherently insecure, and that we should protect important
systems with a second factor of authentication: token, smart card,
biometrics, ....

Regards,
Dan Updegrove



> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.


VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin       Fax (512) 232-9607
FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
P.O. Box 7407                                   http://wnt.utexas.edu/~danu/
Austin, TX 78713-7407

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.