Re: For IP; Re: good read: Please do not change your password

[Stephen John Smoogen <smooge () GMAIL COM>]

On Fri, Apr 16, 2010 at 9:55 AM, Gene Spafford <spaf () cerias purdue edu> wrote:
> I posted this back in 2006.   It is germane to this discussion:
> http://www.cerias.purdue.edu/site/blog/post/password-change-myths/

I will say that when I first read this in 2006 I was against it. Well,
I was bombarded with 20 forwards of it when it came out as we were
doing our 90 day change of passwords by the next one I think it went
to 200. Pretty much any time this comes up at an organizations from
passwords having been stolen to just a policy, this post is sent about
why passwords should never be changed ( and yes I  know that is not
the intent, but it has been worded that way by a person who did not
want to change their password after their account had been hacked
because the password was known.)

Over the years of not having to deal with security directly.. I have
softened a bit.. and thinking about it this moment.. I wondered why.

1) Its not the message that Dr Spafford wrote, but how the letters
forwarded them. Usually with a snide comment about how it is clear
IT/IS were idiots and Gene Spafford agreed with them. Of course, I
think that sets a bad precedent and makes the IT person getting it
much less to agree with Dr Spafford's advice.

2) Having dealt with multiple breakins.. they are usually due to bad
passwords. Having audited multiple sites, I have found that 20% of all
passwords are never changed from the system default, and another 40%
seem to be variations of a theme (either on the top 10 bad passwords
or once you figured out that the schools mascot is a tank, then
ESUtank#1 in various forms is going to get you a lot. [Or the company
logo, phrase, etc]. Figure out a password and by the end of the week
you probably have 30 or 40 others.

3) People have too many passwords, and will reuse the same one over
and over again. I am no different... there are ones I use because I
can't think of anything else and while I think I am being smart about
it.. I am not. Add this with other factors of how many passwords a
person might have, and you have a large target window.

4) Computer security people are usually in a very very passive
aggressive place. You know there are problems, but getting change done
only happens after an incident occurs and at that point your running
on NoDoze+Dew for 6-7 days straight. And you know from past experience
if you don't get what changes to occur right then, its not going to
happen until the next incident. However you also know that you have
only 0 budget to do whatever it is and the higherups will only sign
off on stuff that is clearly well documented that other places are
doing it.

So you end up with 90 day policies that make no sense but they are the
only rock you have at the time... and you fought so hard just to get
those that you won't see they don't make sense until way later.

So anyway, after 4 years.. I agree that forcing changes of passwords
are a not a good security control and can lead to false senses of
securities.. but on the other hand, I do not see us having any better
tools that will be deployed by most organizations. Me I recommend that
if you are a security person stuck in a passive aggressive place... go
find a better job elsewhere.



-- 
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning