Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Cracking & Consequences

From: Wayne Wilson <wwilson () UMICH EDU>
Date: Mon, 30 Aug 2004 14:01:05 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Bradner wrote:
|
| so changing forcing a passwd change reduces the window of vulnerability
| so if an attack lags the interception of the password by a long time
| changing the password helps - but if the attack comes soon after
| the compromise changing the passwd does nothing useful
|
Standard practice for frequent password changing usually is implemented
on a fixed time schedule, i.e. something like once every 6 months.

What Scott demonstrated was that it is not a fixed time interval that
causes passwords to go bad.

It is explicitly related to compromises and their appearance and
effectiveness in the wild.

This means that a policy designed to protect passwords by changing them
~ might have a variable time requirement, perhaps triggered by 'threat
alert levels'.  But maybe that's not needed at all.  In order to know if
variable time is the correct response or to know whether taking a
simpler approach of once every week, once every month, once every
quarter, once  every year, etc; we need to know some numbers to plug in
to the risk evaluation.

I don't have those numbers, I am hoping that someone does.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBM2thY+HG7UEwVGERAjreAJ4zOvE2RQc5YQR2XkpiL6WInfx2lQCgyQ6D
ViUW5hBes2ttcFDj71yQ3SQ=
=EFK9
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: