Educause Security Discussion mailing list archives

Re: Password Complexity and Aging

From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: Mon, 13 Apr 2009 19:19:24 -0500

Kevin,

Thanks for forwarding this story and the SANS "20" link, very helpful.

Bryan Lucas
Executive Director
Technology Resources
(817) 257-7682

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mclaughlin, Kevin (mclaugkl)
Sent: Monday, April 13, 2009 6:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Complexity and Aging

Facts are usually a good thing:
=================================================
TOP OF THE NEWS
 --US Power Grid Infiltrated
(April 8 & 9, 2009)
US national security officials said that the computer networks of the
country's electrical grid and other utilities have been infiltrated and
seeded with tools that could potentially be used to disrupt
communications, electricity, and other elements of the country's
critical infrastructure.  As yet, there have been no attempts made to
use the software to cause damage.  Most of the intrusions were not
detected by the companies responsible for the systems, but by US
intelligence.  In light of this report, cyber security experts have
begun urging the Federal Energy Regulatory Commission (FERC), the
Nuclear Regulatory Commission (NRC) and the Energy Department to push
for legislation that would grant them more oversight and authority to
manage grid (cyber) security.  Earlier this week, before reports of the
intrusions, the North American Electric Reliability Corporation (NERC)
recommended that energy companies look closely at how they identify
critical assets and critical cyber assets.
==========================================================

From SANs - maybe you heard of them.

-Kevin

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Perloff, Jim 
[perloffj () UCHASTINGS EDU]
Sent: Monday, April 13, 2009 6:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Complexity and Aging
Wow! Most of America's electrical utilities have been hacked!

Assistant VP McLaughlin should report that fact to Homeland Security and Congress because last week it was only 
reported that some systems had problems.  No doubt Homeland Security will be unhappy to learn it underestimated the 
severity of the problem - it wasn't a few systems but "most of their [electric companies'] systems".   I'm sure however 
they'll also be happy to learn the attack vector was brute force password attacks. This will save them some time in 
forensics.


Jim Perloff
Network Administrator
UC Hastings College of the Law
200 McAllister Street
San Francisco, CA  94102
415.565.4712
http://uchastings.edu/infotech/index.html

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mclaughlin, Kevin (mclaugkl)
Sent: Monday, April 13, 2009 3:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Complexity and Aging

The reason is to minimize the effectiveness of Brute Force Attacks.

Maybe if our electric companies had seen the value they wouldn't have had foriegn agents install root-kits across most 
of their systems.

Respectfully,
-Kevin

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Karl Heins 
[Karl.Heins () OIST UCSB EDU]
Sent: Monday, April 13, 2009 5:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Complexity and Aging
Several years ago our external auditors (PWC) made a recommendation to
change the password aging from 90 to 60 days at one campus and also made a
recommendation to change the password aging from 60 to 30 days at another
campus.  The CIO asked me what would be the basis for either the 30 or 60
days.  This started my interest in this topic.  With over 20 years of IT
audit experience, including 10 years at a large CPA firm (3 years in the
national office), and after spending some time on the topic, I was unable
to identify a good basis for either the 30, 60 or any number of days.  So,
working with the System wide UC CIO, we looked into our experiences with
the password aging. With hundreds of systems and many problems with our
combined experience, we were not able to find a single actual case where
just aging out a password would have made a difference.  I also challenged
our auditors PWC to show a basis for their recommendations, no factual
cases where there would have been a change in results.  As a result I see
little value in changing passwords just because of the passage of time.

Aging passwords seems like good idea, however there appears little factual
evidence supporting this effort. While my work was antidotal and lacks the
rigor of good research, it would help if I could point to a single factual
case where not aging passwords would have prevented a problem. To date, I
have no such case.

Don't feel that I am soft on controls or passwords, I consider other
password controls critical to a good internal control system.  I can point
to plenty of cases where sharing passwords caused a problem.  Problems that
cost the organization real dollars of loss.

I also feel that strong passwords are important, I feel that passwords
should be hashed (not saved in the clear), and that anytime a password
compromised it should be changed. Password be a good, effective,
inexpensive control if handled properly.

I realize that the password changing process is a part of every auditor,
regulator and security person's standard checklist.  I am not oppose to
changing passwords periodically, I just see very little value in changing
because the passage of time. An I continue to look for that first case
where aging would have made a difference.

Respectfully and with an open mind

Karl

------------------------
Karl Heins
Chief Information Security Officer
University of California, Santa Barbara
Karl.Heins () oist ucsb edu
(805) 893-8843

Current thread:

Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Doty, Timothy T. (Apr 13)
- Re: Password Complexity and Aging Karl Heins (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Perloff, Jim (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 14)

(Thread continues...)