Re: Current Best Practice regarding Password Change policy

["John C. Gale" <john_gale () UNCG EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/24/2010 10:20 AM, randy marchany wrote:
> The control to stop this is the "Password Minimum Lifetime" feature.
> However, you bring up an interesting point:
>
> 1. IF (big CAP IF) you run proactive password guessing/cracking tools on
> your password databases, then is this a sufficient compensating control?

I am a fan of this idea for eliminating low hanging fruit.  If we can
remove bad passwords that are easy to crack, might as well do it and
close a means of inappropriate access.

HOWEVER, not proving something false is not the same as proving it true.
 Hence I would not list it as a "compensating control" which suggests a
greater level of effectiveness than it actually provides.

We all understand this isn't security theater in this thread, but when
it gets sold by those who don't understand the nuances as the
"solution," then I think we've undermined ourselves.

> 2. The "disclosure" risk is the only one this control doesn't address.
> However, disclosure affects any control so I don't see this as a deal
> stopper.
> 3. I tend to agree with Spaf's essay.
>
> -Randy Marchany
> VA Tech IT Security Office
>
> On Fri, Sep 24, 2010 at 10:09 AM, Doty, Timothy T. <tdoty () mst edu> wrote:
>
> > Something I've always been curious about was the point of not allowing last
> > X passwords to be re-used. Won't the user simply cycle through passwords
> > (say, BadPassword1, BadPassword2, etc. or use a random password generator)
> > until the one they want is out of the history? I've personally known people
> > who have done this -- why wouldn't anyone who actually wanted to re-use a
> > password?
> >
> > Tim Doty
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John C. Gale
> > > Sent: Friday, September 24, 2010 8:36 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Current Best Practice regarding Password Change
> > > policy
> HIPAA and PCI both require a password change every 90 days.  So, you
> might not have a choice on the interval.
>
> Effective passwords rely almost entirely on full user participation.
>
> Don't:
> ...write it down
> ...log in to resources on untrusted machines
> ...use the same password everywhere (email, social networking, im,
> etc).
> ...just increment the password when it "changes" (monkey1...2...3)
>
> Five years from now when my password is "monkey21" is it any better or
> any worse than it is today at "monkey1"?  One could argue it is about
> the same, but the predictability makes it absurdly weak if any actual
> intelligence is applied to guessing (or if samples of previous
> passwords
> exist).
>
> So, the issue of actual security might be largely moot since users
> can/will create bad "unique" passwords.
>
> This is not to suggest an argumentum ad numerum.  I think it still a
> defensible practice to ban previous passwords and one you should
> pursue.
>  Not doing so pretty much defeats the purpose of changing your password
> every 90 days and I would not want to be the one in front of the judge
> when that compliance case was being heard.
>
> I never reuse my passwords, so I haven't bumped into it locally.
> However, on our campus it is either "never" or a password history not
> allowing repeats of the last 12 (or something reasonably high because
> most people can't remember the password they want to go back to
> whenever
> they finally have the option here).
>
> Ensuring effective access controls, of course, may most effectively
> rely
> on measures outside of passwords, but that is another story.
>
> Cheers
>
> John
>
> > > > > We currently require all, Students, Faculty and Staff, to change
> > > > > passwords every 90 days and we are enforcing unique passwords (no
> > > > > repeats). This is a relatively new requirement here and we are
> > > > > getting a lot of push back on the change.  I'd like to get a feel for
> > > > > what people accept as current best practice for password change
> > > > > intervals and other related policies, and also, if it is different
> > > > > than the best practice what people are actually doing (if you wish to
> > > > > share that :-)
>
> >

- -- 
Well, anyway, I was reading this James Bond book, and right away I realized
that like most books, it had too many words.  The plot was the same one that
all James Bond books have: An evil person tries to blow up the world, but
James Bond kills him and his henchmen and makes love to several attractive
women.  There, that's it: 24 words.  But the guy who wrote the book took
*thousands* of words to say it.
        Or consider "The Brothers Karamazov", by the famous Russian alcoholic
Fyodor Dostoyevsky.  It's about these two brothers who kill their father.
Or maybe only one of them kills the father.  It's impossible to tell because
what they mostly do is talk for nearly a thousand pages.  If all
Russians talk
as much as the Karamazovs did, I don't see how they found time to become a
major world power.
        I'm told that Dostoyevsky wrote "The Brothers Karamazov" to raise
the question of whether there is a God.  So why didn't he just come right
out and say: "Is there a God? It sure beats the heck out of me."
        Other famous works could easily have been summarized in a few words:

* "Moby Dick" -- Don't mess around with large whales because they symbolize
  nature and will kill you.
* "A Tale of Two Cities" -- French people are crazy.
                -- Dave Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkycuu8ACgkQu0CHnE2bx870GQCfdXa3zHwe71TvJhE6otH3VpRA
ncAAn0RQk1vTcJ6UN1CPjddp3DoeQMiW
=8l0B
-----END PGP SIGNATURE-----