Re: Password Complexity and Aging

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi Brian:

I love two factor authentication - just keep in mind it is only two factor if it also includes a password + token or  a 
bio+token or a password + bio  ; etc.   if it's just a token it's still single factor or weak authentication.


Take a look at your firewall logs and see how many brute force hacking attempts you are being hit with on a  daily 
basis - ours are in the 100,000s   -  we have no idea how many are occuring internally across non-monitored systems :

Until something better comes along a strong password is our first line of defense - yes, I've read some of the articles 
you cite below - I just vehemently disagree with them.

-Kevin

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian 
[bbasgen () PIMA EDU]
Sent: Monday, April 13, 2009 5:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Complexity and Aging

Karl,

 Your findings I think reflect a growing consensus in the community about password expirations. Over the past few 
years, there have been some good published critiques to these traditional notions that others on the list have 
referenced.

 Expiring passwords seems to be a decent method to mitigate password sharing. Some users share their password, and over 
time the number of people who know their password may increase (directly or indirectly). In this scenario, some 
expiration mechanism can be useful.

 At our institution, I'm working to lay a ground work for a two-factor authentication system. Passwords have countless 
issues that two-factor systems mitigate quite satisfactorily. Sharing an account is quite challenging if you only have 
one smart card. :)

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Karl 
Heins
Sent: Monday, April 13, 2009 2:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Complexity and Aging

Several years ago our external auditors (PWC) made a recommendation to
change the password aging from 90 to 60 days at one campus and also made a
recommendation to change the password aging from 60 to 30 days at another
campus.  The CIO asked me what would be the basis for either the 30 or 60
days.  This started my interest in this topic.  With over 20 years of IT
audit experience, including 10 years at a large CPA firm (3 years in the
national office), and after spending some time on the topic, I was unable
to identify a good basis for either the 30, 60 or any number of days.  So,
working with the System wide UC CIO, we looked into our experiences with
the password aging. With hundreds of systems and many problems with our
combined experience, we were not able to find a single actual case where
just aging out a password would have made a difference.  I also challenged
our auditors PWC to show a basis for their recommendations, no factual
cases where there would have been a change in results.  As a result I see
little value in changing passwords just because of the passage of time.

Aging passwords seems like good idea, however there appears little factual
evidence supporting this effort. While my work was antidotal and lacks the
rigor of good research, it would help if I could point to a single factual
case where not aging passwords would have prevented a problem. To date, I
have no such case.

Don't feel that I am soft on controls or passwords, I consider other
password controls critical to a good internal control system.  I can point
to plenty of cases where sharing passwords caused a problem.  Problems that
cost the organization real dollars of loss.

I also feel that strong passwords are important, I feel that passwords
should be hashed (not saved in the clear), and that anytime a password
compromised it should be changed. Password be a good, effective,
inexpensive control if handled properly.

I realize that the password changing process is a part of every auditor,
regulator and security person's standard checklist.  I am not oppose to
changing passwords periodically, I just see very little value in changing
because the passage of time. An I continue to look for that first case
where aging would have made a difference.

Respectfully and with an open mind

Karl

------------------------
Karl Heins
Chief Information Security Officer
University of California, Santa Barbara
Karl.Heins () oist ucsb edu
(805) 893-8843