Re: Password Complexity and Aging

["David L. Wasley" <dlwasley () EARTHLINK NET>]

I too tend to be suspicious of forced password changes.  Brute force
attacks can be mitigated in other ways.  Potential sharing of
passwords is also a weak argument since anyone who shares will share
again.  If they share they should know they will be held responsible
for any consequences, and be given an alternative if there is good
reason to share access.

Some years ago, in the organization in which I worked, one of the
offices required monthly changes of all desktop user passwords.  This
of course was frustrating for the 40+ people in that office so
someone there came up with a solution: the department's secretary
kept all the passwords on a piece of paper in her unlocked file
cabinet.  Each month she would change everyone's individual password
to contain a different "last 2 digits" - representing the month
number (01, 02, 03 ...).  A lot of work for her but easy for everyone
to remember.
Yes - Everyone!   (I suggested they at least lock the file cabinet ...)

        David



-----
At 2:13 PM -0700 on 4/13/09, Karl Heins wrote:

> Several years ago our external auditors (PWC) made a recommendation
> to change the password aging from 90 to 60 days at one campus and
> also made a recommendation to change the password aging from 60 to
> 30 days at another campus.  The CIO asked me what would be the basis
> for either the 30 or 60 days.  This started my interest in this
> topic.  With over 20 years of IT audit experience, including 10
> years at a large CPA firm (3 years in the national office), and
> after spending some time on the topic, I was unable to identify a
> good basis for either the 30, 60 or any number of days.  So, working
> with the System wide UC CIO, we looked into our experiences with the
> password aging. With hundreds of systems and many problems with our
> combined experience, we were not able to find a single actual case
> where just aging out a password would have made a difference.  I
> also challenged our auditors PWC to show a basis for their
> recommendations, no factual cases where there would have been a
> change in results.  As a result I see little value in changing
> passwords just because of the passage of time.
>
> Aging passwords seems like good idea, however there appears little
> factual evidence supporting this effort. While my work was antidotal
> and lacks the rigor of good research, it would help if I could point
> to a single factual case where not aging passwords would have
> prevented a problem. To date, I have no such case.
>
> Don't feel that I am soft on controls or passwords, I consider other
> password controls critical to a good internal control system.  I can
> point to plenty of cases where sharing passwords caused a problem.
> Problems that cost the organization real dollars of loss.
>
> I also feel that strong passwords are important, I feel that
> passwords should be hashed (not saved in the clear), and that
> anytime a password compromised it should be changed. Password be a
> good, effective, inexpensive control if handled properly.
>
> I realize that the password changing process is a part of every
> auditor, regulator and security person's standard checklist.  I am
> not oppose to changing passwords periodically, I just see very
> little value in changing because the passage of time. An I continue
> to look for that first case where aging would have made a difference.
>
> Respectfully and with an open mind
>
> Karl
>
> ------------------------
> Karl Heins
> Chief Information Security Officer
> University of California, Santa Barbara
> Karl.Heins () oist ucsb edu
> (805) 893-8843