Re: Password aging

[Kevin Shalla <kshalla () UIC EDU>]

One approach is the use of password-storing software (putting all your eggs
in one basket).  This is software which stores a list of usernames /
passwords, and this list is encrypted with its own password.  It can even
generate "random" passwords.  This can certainly help with the
recommendation to have a different password for each account on each
machine, with the assumption that system administrators are hostile.  You
will have to be your own system administrator on the local machine storing
this list, and if you're worried about brute force, you'll still need to
change passwords, but I've found this software helps quite a bit (provided
you trust the software to not itself do something nasty).  The smart card /
biometric approach is better, but I would guess that it requires
significant additional work to add its use into selected software.

At 08:44 AM 1/9/2004, Dan Updegrove wrote:
> The reasons for changing can be reduced to two broad categories:
> - Can the password be guessed or discovered by brute force techniques?
> - Is the password known by someone else (co-worker, family member, rogue
> sys admin on a local or remote system, cracker)?
>
> Preventing the selection of "trivial" passwords is the preferred response
> to the first problem. Many of us do this, imposing varying levels of
> complexity on password selection.
>
> The second problem is much thornier, and is exacerbated by a requirement to
> select a "tough" password: If someone else knows your password, then a new
> password that's algorithmically-related to the prior one is suspect. So, of
> course, is reverting to a previously-used password. The user is thus
> challenged to select or invent a complex, quite random password string, and
> this process is often done on-the-fly while thinking about something else
> -- needing to logon to authorize a purchase order, read email, etc. If the
> University has multiple systems, with varying rules about password length
> and robustness, the user hassle factor is large, and the likelihood of a
> call to the help desk is high. So, too, is the likelihood of writing down
> passwords, or using the same password for all systems -- including remote
> systems outside the University.
>
> This leads some of us to conclude that any system that depends solely on
> passwords is inherently insecure, and that we should protect important
> systems with a second factor of authentication: token, smart card,
> biometrics, ....

Kevin Shalla
Associate Director of Information and Technical Services
University of Illinois at Chicago
Office of Admissions and Records (MC 018)
1200 W Harrison, Room 2131
Chicago, IL 60607-7161
(312) 996-1231
kshalla () uic edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.