Educause Security Discussion mailing list archives
Re: Current Best Practice regarding Password Change policy
From: randy marchany <marchany () VT EDU>
Date: Fri, 24 Sep 2010 10:20:58 -0400
The control to stop this is the "Password Minimum Lifetime" feature. However, you bring up an interesting point: 1. IF (big CAP IF) you run proactive password guessing/cracking tools on your password databases, then is this a sufficient compensating control? 2. The "disclosure" risk is the only one this control doesn't address. However, disclosure affects any control so I don't see this as a deal stopper. 3. I tend to agree with Spaf's essay. -Randy Marchany VA Tech IT Security Office On Fri, Sep 24, 2010 at 10:09 AM, Doty, Timothy T. <tdoty () mst edu> wrote:
Something I've always been curious about was the point of not allowing last X passwords to be re-used. Won't the user simply cycle through passwords (say, BadPassword1, BadPassword2, etc. or use a random password generator) until the one they want is out of the history? I've personally known people who have done this -- why wouldn't anyone who actually wanted to re-use a password? Tim Doty-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John C. Gale Sent: Friday, September 24, 2010 8:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Current Best Practice regarding Password Change policy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HIPAA and PCI both require a password change every 90 days. So, you might not have a choice on the interval. Effective passwords rely almost entirely on full user participation. Don't: ...write it down ...log in to resources on untrusted machines ...use the same password everywhere (email, social networking, im, etc). ...just increment the password when it "changes" (monkey1...2...3) Five years from now when my password is "monkey21" is it any better or any worse than it is today at "monkey1"? One could argue it is about the same, but the predictability makes it absurdly weak if any actual intelligence is applied to guessing (or if samples of previous passwords exist). So, the issue of actual security might be largely moot since users can/will create bad "unique" passwords. This is not to suggest an argumentum ad numerum. I think it still a defensible practice to ban previous passwords and one you should pursue. Not doing so pretty much defeats the purpose of changing your password every 90 days and I would not want to be the one in front of the judge when that compliance case was being heard. I never reuse my passwords, so I haven't bumped into it locally. However, on our campus it is either "never" or a password history not allowing repeats of the last 12 (or something reasonably high because most people can't remember the password they want to go back to whenever they finally have the option here). Ensuring effective access controls, of course, may most effectively rely on measures outside of passwords, but that is another story. Cheers JohnWe currently require all, Students, Faculty and Staff, to change passwords every 90 days and we are enforcing unique passwords (no repeats). This is a relatively new requirement here and we are getting a lot of push back on the change. I'd like to get a feel for what people accept as current best practice for password change intervals and other related policies, and also, if it is different than the best practice what people are actually doing (if you wish to share that :-)-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkycqS4ACgkQu0CHnE2bx87IXwCfVRxYZDTxTpmEdzc3IHPdjm+z QQ4AoMT+3rz7SdMm5wYXHoK/W6GVMLkw =LmcB -----END PGP SIGNATURE-----
Current thread:
- Re: Current Best Practice regarding Password Change policy, (continued)
- Re: Current Best Practice regarding Password Change policy Jack Suess (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joel Rosenblatt (Sep 24)
- Re: Current Best Practice regarding Password Change policy Scott O. Bradner (Sep 24)
- Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
- Re: Current Best Practice regarding Password Change policy Conor McGrath (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy charlie derr (Sep 24)
- Re: Current Best Practice regarding Password Change policy randy marchany (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
- Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
- Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
- Re: Current Best Practice regarding Password Change policy Valdis Kletnieks (Sep 24)
- Re: Current Best Practice regarding Password Change policy Bob Bayn (Sep 24)
- Re: Current Best Practice regarding Password Change policy Harry E Flowers (flowers) (Sep 24)
- Message not available
- Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)