Re: Current Best Practice regarding Password Change policy

["Doty, Timothy T." <tdoty () MST EDU>]

Something I've always been curious about was the point of not allowing last
X passwords to be re-used. Won't the user simply cycle through passwords
(say, BadPassword1, BadPassword2, etc. or use a random password generator)
until the one they want is out of the history? I've personally known people
who have done this -- why wouldn't anyone who actually wanted to re-use a
password?

Tim Doty

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John C. Gale
> Sent: Friday, September 24, 2010 8:36 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Current Best Practice regarding Password Change
> policy
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> HIPAA and PCI both require a password change every 90 days.  So, you
> might not have a choice on the interval.
>
> Effective passwords rely almost entirely on full user participation.
>
> Don't:
> ...write it down
> ...log in to resources on untrusted machines
> ...use the same password everywhere (email, social networking, im,
> etc).
> ...just increment the password when it "changes" (monkey1...2...3)
>
> Five years from now when my password is "monkey21" is it any better or
> any worse than it is today at "monkey1"?  One could argue it is about
> the same, but the predictability makes it absurdly weak if any actual
> intelligence is applied to guessing (or if samples of previous
> passwords
> exist).
>
> So, the issue of actual security might be largely moot since users
> can/will create bad "unique" passwords.
>
> This is not to suggest an argumentum ad numerum.  I think it still a
> defensible practice to ban previous passwords and one you should
> pursue.
>  Not doing so pretty much defeats the purpose of changing your password
> every 90 days and I would not want to be the one in front of the judge
> when that compliance case was being heard.
>
> I never reuse my passwords, so I haven't bumped into it locally.
> However, on our campus it is either "never" or a password history not
> allowing repeats of the last 12 (or something reasonably high because
> most people can't remember the password they want to go back to
> whenever
> they finally have the option here).
>
> Ensuring effective access controls, of course, may most effectively
> rely
> on measures outside of passwords, but that is another story.
>
> Cheers
>
> John
>
> > We currently require all, Students, Faculty and Staff, to change
> > passwords every 90 days and we are enforcing unique passwords (no
> > repeats). This is a relatively new requirement here and we are
> > getting a lot of push back on the change.  I'd like to get a feel for
> > what people accept as current best practice for password change
> > intervals and other related policies, and also, if it is different
> > than the best practice what people are actually doing (if you wish to
> > share that :-)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkycqS4ACgkQu0CHnE2bx87IXwCfVRxYZDTxTpmEdzc3IHPdjm+z
> QQ4AoMT+3rz7SdMm5wYXHoK/W6GVMLkw
> =LmcB
> -----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: