Re: Password aging

["David L. Wasley" <david.wasley () UCOP EDU>]

At 9:57 AM -0800 on 1/14/04, Jere Retzer wrote:

> A password is most secure when first established and will become less
> secure the more it is used. There are many potential avenues that cause
> this to happen. One of the most significant is that people routinely use
> the same password for lots of different systems so that if any one is
> compromised their access is potentially compromised other places as
> well.

So require that people -not- do this (even if you also require
changes, but if you -do- require changes realize that people will be
more tempted to do this.)  How do you know?  Ask?  Educate?  Check
systems under your control?  Dunno but I don't think requiring change
helps - a naive user would simply change them all to be the new one.

> Others include password sharing, sticky notes, dictionary attacks
> (and systems that don't disable repeated attempts), eavesdropping, etc.

Never send passwords in the clear.  In a corporate or campus context,
you can ensure this.  When a user is at home or elsewhere, well...
But you can certainly minimize the eavesdropping exposure.

[The one I dislike intensely is the e-commerce site that can send you
back your password if you forget it.  That capability means that the
site can retrieve your clear text password!!  Unix systems
programmers new better 30 years ago, even if the encryption was weak.]

> Each exposure of a password represents a small but finite risk. Sooner
> or later your number may come up in the lotto.

Yes - but the question is how long?  10,000 monkeys might eventually
type the next great American novel.   An array of Macintosh dual-CPU
G5's can probably crack a 2048 bit asymmetric key pair in 10-20
years.  If access management technology can keep ahead of this curve,
maybe we're OK.  I still suspect that the weak link will be human
nature (barring GM humans ;-).

> Passwords are frankly lousy security, just as firewalls are lousy but
> necessary security. The sooner we admit this and start really to focus
> and spend money on biometric systems the better off we'll be. Yes,
> current biometric systems are also far from perfect but they will become
> better as people decide it is important and spend accordingly.

I totally agree that passwords per se are lousy security.  I'm just
trying to understand the real risks and potential mitigations.

I believe the use of biometrics is poorly understood by most people
but that is a topic for another thread.

       David

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.