Re: Password change *recommended* -- RESULTS?

["McClenon, Brady" <Brady.McClenon () ONEONTA EDU>]

Thanks, Joe.  I agree that MFA is the way to go, but with many colleges depending on vendor supplied software MFA 
becomes more difficult.  Does the service support MFA, and if so which solution?  SSO would make this easier, but SSO 
has the same set of issues.  Some support CAS, some support SAML, some ADFS, etc...  It seems that until SSO and MFA 
standards are achieved some are overwhelmed with the need to support 2-3-4 solutions to the same problem.

I follow some of your reasons outlined for password changes, and again, thanks.  I will point out that the statements 
"Periodic Password Changes Limit The Window for Brute Force Attacks" and "If you do change your password, the attacker 
will need to restart their cracking effort because cracking your old password typically won't help the attacker deduce 
your new password" aren't entirely true.  The attacker would only need to restart if your new password was one he/she 
already tried prior to the change.  The window may not change at all, and the probability that the change helped 
protect the password can be anywhere between 0-100% depending on where the attacker was in his list when the password 
was changed.   So while there is some value against brute force the value seems somewhat undeterminable. 




-----Original Message-----
From: Joe St Sauver [mailto:joe () oregon uoregon edu] 
Sent: Wednesday, April 16, 2014 10:39 AM
To: McClenon, Brady
Cc: security () listserv educause edu
Subject: Re: Password change *recommended* -- RESULTS?

Good morning!

Brady asked:

#Except in the case of an incident were passwords may have be leaked or #otherwise compromised, in which case it seems 
it would be a required #change and just not recommended, I'm curious to the thoughts of those #here on why you would 
enforce periodic password changes on users.  

I outlined a few reasons in an NWACC talk on passwords that you can find at 
http://pages.uoregon.edu/joe/passwords/passwords.pdf (section 4 talks about the password change issue)

That said, the fundamental problem is that at this stage of the game, plain old passwords just aren't good enough 
anymore -- yet we still don't see ubiquitous deployment of multifactor on most campuses. Why? 

I attempted to discuss some of the reasons that people may have
*historically* had, and why they may no longer be applicable, in a talk I did last week in Denver at the Internet2 
Global Summit; see http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf

If you all are not doing multifactor, did I catch the reason(s) why in thos slides? If I missed a fundamental reason, 
I'd love to hear about/understand it better. 

Do we all just secretly love passwords for some sort of weird cultural reasons? :-;

Regards,

Joe