Re: Password Cracking & Consequences

[Gary Flynn <flynngn () JMU EDU>]

Scott Bradner wrote:

> > Not with compromised desktops and phishing attacks around.
>
>
> so changing forcing a passwd change reduces the window of vulnerability
> so if an attack lags the interception of the password by a long time
> changing the password helps - but if the attack comes soon after
> the compromise changing the passwd does nothing useful

True, but it puts a limit on the amount of time an account
can remain compromised. As you suggest, not all account
compromises are leveraged immediately. Also, the things
the account is used for may not draw attention for a
long time. I'd hazard a guess that the compromises we
should be most worried about fit those categories
(i.e. the "sleeper" compromises).

In the meantime, and depending upon how well the users'
habits are known or can be defined, login logs can be
monitored for location and time aberrations. A login
from Spain while the account holder is sitting across
the hall is a definite tip that something is wrong. :)

Are you saying passwords should not be changed periodically?

I was once a proponent that:

a) a strong password
b) on a system with anti-guessing limits and good monitoring
c) using an application that encrypted the password on the wire

did not need to be changed very often as long as the password
was protected. I've seen enough compromised desktops and
accounts over the past year that I've changed my mind about
the feasibility of a typical user being able to protect their
password. I guess the password changing policies, though,
depend upon on the level of risk that a compromised user
account represents. There might be some disagreement over
that. :)

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.