Re: Password policy

["Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi:

 

Considering that the hacker community now considers spending a year or
more attacking a system they really want to crack as a reasonable thing
to do I would say that we should be worried about brute force attacks
that occur over months worth of time.

 

Btw- I know how passionate this subject is with all of us and that was
one of the reasons I was hesitant to bring it up once more! :-)

 

-Kevin

 

 

Kevin L. McLaughlin

CISSP, PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

mclaugkl () ucmail uc edu

 

 

  

 

CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.

 

________________________________

From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] 
Sent: Wednesday, November 01, 2006 8:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy

 

Jim Dillon wrote: 

Bob,

 

Personal opinion is that the number of attempts set to 3 or 5 is
artificially low.  If you already have strong password requirements,
then set that "error out" condition to 25 or 50 and you will foil brute
force attempts.  The "strong" requirement foils guessing - the 3 to 5
try thing was a reaction to people using their kid's or dog's name as a
password.  The other option, using long passphrases like
"imoff2seethewizard" is memorable and doesn't require strengthening
factors to prevent brute force currently.  I'm sure that someday there
will be dictionary attacks against common and well known phrases such as
this, but it seems like a better solution presently.

 

I'm still in for strong passwords, less changes, and a physical 2nd
factor such as a certificate on a USB key.  USB keys can be had for
under $10 these days and if you require a certificate match along with a
password, your worries about brute forcing, keyboard logging, and other
similar things go away.  Of course you have to assume USB is ubiquitous
and I'm not sure we're quite there yet - but we should be getting close.
Plus you have to unify your authentication practice, and that's a bigger
deal altogether isn't it?  Still, it solves a lot of problems where you
can do it.

 

Best regards,

 

I'll agree with Jim and others that we need two-factor authentication
for the assets that we REALLY need to worry about (at least our
financials, medical records, human subjects research data and so on).
And we need to allow some reasonable number of retries, especially if
you, or I or the student in the lab has to type fifteen or twenty
characters correctly each time we log in (or for  those who sit in front
of a screen all day, each time we go 'down the hall' or out to lunch)  
But seriously, who's going to try to break into Professor Snerdwell's
e-mail account with a dictionary attack?  And unless we're worried about
month-long sustained attacks, frequent password changes are just
annoying without buying additional security.  Making people change their
passwords every ninety days doesn't teach good computer hygiene, it
annoys them and confirms their impression that the IT people have
nothing better to do.  
My 2c worth.




-- 
Geoffrey S. Nathan
Department of English/Computing and Information Technology
Wayne State University
Detroit, MI, 48202
<geoffnathan () wayne edu> <mailto:geoffnathan () wayne edu> 
Phones:  C&IT (313) 577-1259/English (313) 577-8621