Educause Security Discussion mailing list archives
Re: Password policy
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Wed, 1 Nov 2006 17:46:21 -0700
Bob, Personal opinion is that the number of attempts set to 3 or 5 is artificially low. If you already have strong password requirements, then set that "error out" condition to 25 or 50 and you will foil brute force attempts. The "strong" requirement foils guessing - the 3 to 5 try thing was a reaction to people using their kid's or dog's name as a password. The other option, using long passphrases like "imoff2seethewizard" is memorable and doesn't require strengthening factors to prevent brute force currently. I'm sure that someday there will be dictionary attacks against common and well known phrases such as this, but it seems like a better solution presently. I'm still in for strong passwords, less changes, and a physical 2nd factor such as a certificate on a USB key. USB keys can be had for under $10 these days and if you require a certificate match along with a password, your worries about brute forcing, keyboard logging, and other similar things go away. Of course you have to assume USB is ubiquitous and I'm not sure we're quite there yet - but we should be getting close. Plus you have to unify your authentication practice, and that's a bigger deal altogether isn't it? Still, it solves a lot of problems where you can do it. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** ________________________________ From: Bob Kehr [mailto:rskehr () UCDAVIS EDU] Sent: Wednesday, November 01, 2006 4:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy Given this...would it be better to require stronger passwords that might be more difficult to memorize (and then might get written down), or temporarily lock accounts after a number of successive incorrect passwords while allowing weaker passwords that are easier to memorize? Under certain circumstances, the later might take longer to crack, but carries with it the risk of user DOS. -Bob ________________________________ From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Wednesday, November 01, 2006 1:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy Hi: I guess I will chime in on why passwords should have an expiration time/date. Brute force attacks take time --> given enough time any password can be broken and discovered --> by forcing a change periodically you make any targeted brute force attacker start over. How long does it take? The chart below gives an idea: If you only use words from a dictionary or a purely numeric password, a hacker only has to try a limited list of possibilities. A hacking program can try the full set in under one minute. If you use the full set of characters and the techniques above, you force a hacker to continue trying every possible combination to find yours. If we assume that the password is 8 characters long, this table shows how many times a hacker may have to before guessing your password. Most password crackers have rules that can try millions of word variants per second, so the more algorithmically complex your password, the better. Character sets used in password Calculation Possible Combinations Dictionary words (in english): (It is debatable but lets generously say ~600,000 words) -- 600,000 Numbers only 10^8 100,000,000 Lowercase Alpha set only 26^8 208,827,064,576 Full Alpha set 52^8 53,459,728,531,456 Full Alpha + Number set 62^8 218,340,105,584,896 Full set of allowed printable characters set: (10+26+26+19)^8 645,753,531,245,761 -Kevin Kevin L. McLaughlin CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. ________________________________ From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] Sent: Wednesday, November 01, 2006 3:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy Kellogg, Brian D. wrote: A couple questions: 1. Do most enforce password expirations? I came from a large corporation and they enforced a 90 day password expiration policy. It seemed to have the effect of making passwords less secure as most would write them down in obvious places. Something that nobody so far has touched is exactly what function an expiration policy fulfills. Remembering nine passwords is not merely 'inconvenient', it's cognitively challenging for normal people (those who have difficulty memorizing arbitrary information). So, if a password is sufficiently complex to discourage brute force attacks (unless you're the NSA, of course..), what is accomplished by making people change it? If it is compromised, it doesn't matter that it'll be changed in, say, four days or four months. I know lots of places have frequent change rules, but then lots of places require 1 qt. zip lock bags (and will confiscate your liquids if you use a gallon bag). We have some choice here (unless the state requires it), so maybe we can be a little rational in our security policies. 1. 2. Do most enforce a strong password policy? As soon as we get the technology under control to do so we will. 1. 2. Any other recommendations/insights along this line would be helpful. Thanks, Brian -- Geoffrey S. Nathan <geoffnathan () wayne edu> <mailto:geoffnathan () wayne edu> Faculty Liaison, Computing and Information Technology,<p> and Associate Professor of English, Linguistics Program<p> Phone Numbers (313) 577-1259 or (313) 577-8621<p> Wayne State University<p> Detroit, MI, 48202
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Gene Spafford (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Daniel R Jones (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)