Re: Password Complexity and Aging

[Stephen John Smoogen <smooge () GMAIL COM>]

On Sat, Apr 11, 2009 at 10:08 AM, Geoff Nathan <geoffnathan () wayne edu> wrote:
> I'll second Roger and Valdis' comments about the religious nature of this
> debate.  I tried to educate our auditors and failed, and indeed they had
> expiry of ancient account passwords in mind as a driving force.  So far
> there haven't been many loud squawks, but we're only into our second 180
> days.  What has been troublesome is the fact that we're going to have to
> limit the use of non-alphanumeric characters because of issues with Oracle,
> so we're actually dumbing down our requirements.

Yes.. I think the biggest reason that changing passwords to fight last
centuries fights are various business/educational applications that
one can't fix or change because of business requirements. Having to
deal with applications that only allow a password to have a 'search
space' of 64 characters and limited to a length of 8 not only makes
guessing easier. Combine that with people using the same password
everywhere and you end up with a fight that most sane people would
think was 'won' ten years ago.

Of course dealing with staff/academics who quote Spaffords papers as
gospel and you end up with the opposite cargo cult. Having his papers
quoted and brought up as reasons why a professor or staff member can't
have freebird as their password is maddening.

> We've also had a fight about whether the actual complexity restrictions
> should be on a public page or not (some folks seem to believe it's a
> security risk).  As long as we're going with 'industry standard' (minimum

Heh... know that one.. dealt with it since time immemorial  or so I
think. The truth is it is a security risk. So is allowing people to
log in and turning on the computer. The bigger threat is the fact that
you probably tell people that you have some Oracle application. An
informed attacker is going to know that will limit the space already.
He will also know that a large percentage of people are going to
choose a password like
[A-Z][a-z][a-z][0-9[:punct:]][a-z][a-z][a-z][0-9[:punct:]]. His attack
will then be focused on seeing where he can combine those two at
various gateways around campus and then just slow scan until he gets
lucky.

But as Valdis pointed out he probably just set up some facebook pages,
a couple of phishing emails etc and gotten in by the time his scanner
has gotten in. And most of the time what the attacker will be looking
for is bank account numbers, research and thesis papers he can sell
elsewhere and open proxies for people who want to get into some
'online only library'.

Anyway, I think the education of the auditor/paranoid is that as long
as some department says on a web page 'We are using Xanner Student
Records or XYZ Oracle Apps' a potential attacker will know more about
your password strength than a page that says only  . / are the only
usable special characters.

> eight, at least one cap, at least one non-letter, not the same as the last
> one, 180 days) we're not giving out 'the keys to the kingdom', I think we're
> not usefully hiding anything, but it looks like I'm losing that fight too.
>
> Geoffrey S. Nathan
> Faculty Liaison, C&IT,
> Policy Coordinator
> and Associate Professor, Linguistics Program
> +1 (313) 577-1259 (C&IT)
> +1 (313) 577-8621 (English/Linguistics)



-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"