Re: Password change *recommended* -- RESULTS?

[Robert Meyers <REMeyers () MAIL WVU EDU>]

I'd like to take this in a slightly different direction.
With all the conversation about the need for complex passwords, how many can honestly report that their institution has 
suffered a significant data incident because of a hack or brute force attack on user passwords? How many breaches have 
been reported in the edu community because a user password was too weak?  I'm not disputing anything with these 
questions, just honestly seeking evidence that demands a clear verdict.  What I do see daily are users WILLINGLY 
surrendering their login credentials to phishing scams, so password complexity doesn't enter into the conversation.

I do spend the majority of my time with students teaching methods of creating complex passwords as a means of elevating 
their overall cyber security awareness.

Bob Meyers
WVU Information Security

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Walker
Sent: Wednesday, April 16, 2014 4:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?

Brady,

Very real issues you've listed about multi-factor authentication.  I'll mention that the MFA Cohortium 
(https://wiki.cohortium.internet2.edu/confluence/display/mfacohortium/Home), a group of 40-50 universities, is doing a 
work in the areas you've mentioned.  Take a look; there are a number of white papers available.  You're also welcome to 
participate; information for how to do that is available from the wiki page linked above.

A couple of other links you may find of interest:
*        The FIDO Alliance (https://fidoalliance.org/), an industry group that has recently released specifications for 
a standard authentication API for second factor and passwordless tokens.
*        The Multi-Context Broker (https://spaces.internet2.edu/x/BozFAg), an extension to Shibboleth that facilitates 
the integration of MFA and assurance into a SAML IdP.

Things are getting better, but they still have a ways to go.

David
On 04/16/2014 12:18 PM, McClenon, Brady wrote:

Thanks, Joe.  I agree that MFA is the way to go, but with many colleges depending on vendor supplied software MFA 
becomes more difficult.  Does the service support MFA, and if so which solution?  SSO would make this easier, but SSO 
has the same set of issues.  Some support CAS, some support SAML, some ADFS, etc...  It seems that until SSO and MFA 
standards are achieved some are overwhelmed with the need to support 2-3-4 solutions to the same problem.



I follow some of your reasons outlined for password changes, and again, thanks.  I will point out that the statements 
"Periodic Password Changes Limit The Window for Brute Force Attacks" and "If you do change your password, the attacker 
will need to restart their cracking effort because cracking your old password typically won't help the attacker deduce 
your new password" aren't entirely true.  The attacker would only need to restart if your new password was one he/she 
already tried prior to the change.  The window may not change at all, and the probability that the change helped 
protect the password can be anywhere between 0-100% depending on where the attacker was in his list when the password 
was changed.   So while there is some value against brute force the value seems somewhat undeterminable.









-----Original Message-----

From: Joe St Sauver [mailto:joe () oregon uoregon edu]

Sent: Wednesday, April 16, 2014 10:39 AM

To: McClenon, Brady

Cc: security () listserv educause edu<mailto:security () listserv educause edu>

Subject: Re: Password change *recommended* -- RESULTS?



Good morning!



Brady asked:



#Except in the case of an incident were passwords may have be leaked or #otherwise compromised, in which case it seems 
it would be a required #change and just not recommended, I'm curious to the thoughts of those #here on why you would 
enforce periodic password changes on users.



I outlined a few reasons in an NWACC talk on passwords that you can find at 
http://pages.uoregon.edu/joe/passwords/passwords.pdf (section 4 talks about the password change issue)



That said, the fundamental problem is that at this stage of the game, plain old passwords just aren't good enough 
anymore -- yet we still don't see ubiquitous deployment of multifactor on most campuses. Why?



I attempted to discuss some of the reasons that people may have

*historically* had, and why they may no longer be applicable, in a talk I did last week in Denver at the Internet2 
Global Summit; see http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf



If you all are not doing multifactor, did I catch the reason(s) why in thos slides? If I missed a fundamental reason, 
I'd love to hear about/understand it better.



Do we all just secretly love passwords for some sort of weird cultural reasons? :-;



Regards,



Joe