Educause Security Discussion mailing list archives
Re: Password policy
From: "Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Thu, 2 Nov 2006 12:51:30 -0500
Hi: Considering that the hacker community now considers spending a year or more attacking a system they really want to crack as a reasonable thing to do I would say that we should be worried about brute force attacks that occur over months worth of time. Btw- I know how passionate this subject is with all of us and that was one of the reasons I was hesitant to bring it up once more! :-) -Kevin Kevin L. McLaughlin CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. ________________________________ From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] Sent: Wednesday, November 01, 2006 8:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy Jim Dillon wrote: Bob, Personal opinion is that the number of attempts set to 3 or 5 is artificially low. If you already have strong password requirements, then set that "error out" condition to 25 or 50 and you will foil brute force attempts. The "strong" requirement foils guessing - the 3 to 5 try thing was a reaction to people using their kid's or dog's name as a password. The other option, using long passphrases like "imoff2seethewizard" is memorable and doesn't require strengthening factors to prevent brute force currently. I'm sure that someday there will be dictionary attacks against common and well known phrases such as this, but it seems like a better solution presently. I'm still in for strong passwords, less changes, and a physical 2nd factor such as a certificate on a USB key. USB keys can be had for under $10 these days and if you require a certificate match along with a password, your worries about brute forcing, keyboard logging, and other similar things go away. Of course you have to assume USB is ubiquitous and I'm not sure we're quite there yet - but we should be getting close. Plus you have to unify your authentication practice, and that's a bigger deal altogether isn't it? Still, it solves a lot of problems where you can do it. Best regards, I'll agree with Jim and others that we need two-factor authentication for the assets that we REALLY need to worry about (at least our financials, medical records, human subjects research data and so on). And we need to allow some reasonable number of retries, especially if you, or I or the student in the lab has to type fifteen or twenty characters correctly each time we log in (or for those who sit in front of a screen all day, each time we go 'down the hall' or out to lunch) But seriously, who's going to try to break into Professor Snerdwell's e-mail account with a dictionary attack? And unless we're worried about month-long sustained attacks, frequent password changes are just annoying without buying additional security. Making people change their passwords every ninety days doesn't teach good computer hygiene, it annoys them and confirms their impression that the IT people have nothing better to do. My 2c worth. -- Geoffrey S. Nathan Department of English/Computing and Information Technology Wayne State University Detroit, MI, 48202 <geoffnathan () wayne edu> <mailto:geoffnathan () wayne edu> Phones: C&IT (313) 577-1259/English (313) 577-8621
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)