Re: Password Expiration

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

> Regardless of the origin of the idea (and thanks for that
> background, too), proponents of password changing can argue that
> the practice does limit the length of time during which a bad guy
> can do damage. Now, this may be pointless, since one access may be
> all it takes to empty out a bank account or do other catastrophic
> damage, but the argument is made nonetheless. So let's ask the
> question directly: Since it's inevitable that passwords will fall
> into the wrong hands, how can we minimize the duration of the
> exposure?

The best minimization is to use one-time passwords, combined with
using trustworthy software and limiting access rights.

> One approach is to give the user feedback on recent accesses,
> hoping that s/he'll notice any illegitimate activity. This also
> goes back to mainframe days, when many systems' login displays
> included the timestamp of the previous login.
> We can extend this idea in two dimensions: First, track not just
> time, but things like MAC and IP addresses, geographic location,
> session duration, etc.

Some systems do this, at least partially.  However, it is limited to
what the OS supports, and the reliability of the information.    Some
of what you suggest (such as geographic location) cannot be reliably
captured.  It is also the case that some places where user
authentication is performed (e.g., via WWW-based login, or ftp) may
not be logged by the OS in the same way.  And if an intruder has
gained privileged access, the contents of any host-based audit trails
and logging -- and thus their display --  should be viewed as suspect.

>  And, second, automate the process. That is, have the system look
> for and flag anomalous activity. This may sound familiar: It's a
> variation on what the credit card companies do to detect fraud.

It is part of what an anomaly-based IDS (or IPS, to use current buzz)
system does -- or should do.  Not a new idea at all.

> So instead of "brain-dead password change policies" (and I'm amazed
> no one has yet referenced http://www.smat.us/sanity/mordac.jpg),
> which at best limit the bad guys to weeks or months of illegitimate
> account access, I wonder if there's any work being done to notice
> compromised passwords in this or some other way.

Intrusion detection/prevention technologies are oriented towards this
problem -- to find intruders using the system without authorization,
whether through captured passwords or software flaws.   These have
varying levels of success depending on system type, access patterns,
and so on.  The best solution continues to be to keep them out in the
first place.


One of my favorite Dilbert cartoons ends with the pointy-haired boss
saying "...and starting today, all passwords must contain letters,
numbers, doodles, sign language and squirrel noises."    Sounds
familiar to anyone?

--spaf