Re: Please do not change your password

[Mike Porter <mike () UDEL EDU>]

On Wed, 14 Apr 2010, Paul Kendall wrote:

> Password changes also stop a practice that was not mentioned here
> - corporate espionage. If I have an executive or middle management
> userid and password, I can snoop on the system, steal email and
> other files, and in general make life interesting. In addition, I
> can go undetected (if I am careful) for as long as the password is
> valid. Frequent password changes help stop this practice, which is a
> lot more common than you might think.

Changing the password accomplishes little unless the method used
for obtaining the password is also fixed.  If the user responded
to a phish, will they fall for it again?  If they have a keylogger
installed, won't it just log the new password?

Last login and location of login is a valuble tool for combating the
above scenario.  Login auditing and location checking can also raise
security alerts.  In short, there are better ways to deal with this
than forcing the user to change their password from Afk04kbg to
Afk05kbg once every month.

...

Mike

Mike Porter
Systems Programmer V
IT/NSS
University of Delaware

> Paul
> ========================================
> Paul L. Kendall, PhD, CGEIT, CHS-III, CISM, CISSP, CSSLP
> Accudata Systems, Inc.
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
> Ladwig
> Sent: Wednesday, April 14, 2010 8:27 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Please do not change your password
>
> Unlikely that it'll change the audit book.
>
> Nor should it, necessarily.  The study is really predicated on consumer accounts, and doesn't address duty of care issues for 
> data custodians, among other things.  I've rarely seen that mentioned over the last five months' discussion, since the paper 
> was published.
>
> One particularly acute point on this topic is the paper's assertion that financial fraud loses the use nothing.  While true 
> for some financial accounts situations for personal accounts, that is demonstrably not true for US commercial online bank 
> accounts (see Krebsonsecurity.com for many examples), and as I recall isn't true for all personal banking accounts in other 
> countries.
>
> All that said, it's a goodish paper, and we've all known that passwords are horrid for well over a decade, but 
> substantial progress on password replacement is pretty poor, overall.
>
>    -jml
>
>
> -----Original Message-----
> From: Justin Sherenco
> Sent: 2010-04-14 08:04:59
> To: Justin Sherenco;The EDUCAUSE Security Constituent Group Listserv
> Cc:
> Subject: [SECURITY] Please do not change your password
>
>
> Hello,
>
> I came across an interesting article on password changes.  Author Cormac
> Herley of Microsoft makes a good case albeit just a cost-benefit analysis.
> I had to go back and think of why these types of policies were created in
> the first place.  I came to my own conclusion that they were created
> before the days of complex password (passphrase) enforcement and the
> ability to automatically lock out accounts after X amount of failed log-in
> attempts.
>
>
>
> Do you think he can convince the auditors?
>
>
>
>
>
>
> <http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not
> _change_your_password/?page=full>
> http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_
> change_your_password/?page=full
>
>
>
> Regards,
>
> Justin
>
>
>
>
>
> -------------------------------------
>
> Justin Sherenco
>
> Security Analyst
>
> 734-487-8574
>
> Easten Michigan University
>
> http://it.emich.edu/security

-
Mike Porter
PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2