Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Shane Williams <shanew () ISCHOOL UTEXAS EDU>
Date: Wed, 2 Apr 2014 17:48:34 -0500
I think you're viewing this backwards. Here's the scenario that I think describes most users in a "password expiration" setup.* 1. They create an account with us, setting their initial password to one they commonly use already. 2. At time X, they're made to change that password. At this point, they might decide to use another password they use, but they will have used it fewer places than their first choice from step 1. 3. At each time X*N, they have to repeat this process, always picking a less commonly used password. So, the biggest "danger" is between steps 1 & 2, where their password on our system matches the one most likely to be found in a mass exposure. After that, unless they are syncing up their password on all systems every time they have to change one of them (and I think these people are few and far between), the chance that an exposed password from another site is the one in use on our site decreases. * This assumes you're keeping a sufficient password history, not allowing users to quick-cycle back to their favorite, etc. On Wed, 2 Apr 2014, Von Welch wrote:
I believe one of the benefits of changing the password is that it's =not unc=3Dommon for web services to use an email address as a user name. If a =user u=3Dses our address, and their associated password, and later that web =service =3Dgets compromised, there is a decent chance when the hashes are dumped =that =3Dthey will have had to change our password and will no longer sync =them. I believe I understand this threat (your users may reuse their passwords = elsewhere and get them exposures there) but I don=92t understand how = having password expiration helps address it. Unless you are =93lucky=94 and the exposure happens just prior to = password expiration, you=92re comfortable waiting probably months until = expiration for the users to change their password? Wouldn=92t a better solution, assuming the compromised DB is published, = be to see that a user account with one of your email address has been = exposed and to force a password change in real time? Even if the password DB isn=92t published and you can=92t see the = compromised account, the only way password expiration seems to help is = if the bad guy sits on the compromised password until after expiration = to use it. In short, password expiration just seems to slow to be effective in = Internet time scales. Von On Apr 2, 2014, at 5:23 PM, Shane Williams <shanew () ISCHOOL UTEXAS EDU> = wrote:I've recently had this discussion with our faculty, and this was the point I kept making, all the while referring to the "mass password exposure" of the week. Unfortunately, almost no articles or blogs from before 2012 make any mention of this threat, much less academic papers (where faculty place more trust). Admittedly, the incidence of mass exposures pre-2012 wasn't what it is today, but I'm surprised that even now very few "experts" talk about this particular risk. =20 =20 On Wed, 2 Apr 2014, Roger A Safian wrote: =20--_000_2C17E27E26DEE641AEECF7583B3CAB1A25987D2Bevcspmbx1adsnor_ Content-Type: text/plain; charset=3D"us-ascii" Content-Transfer-Encoding: quoted-printable =20 I believe one of the benefits of changing the password is that it's =not unc=3Dommon for web services to use an email address as a user name. If a =user u=3Dses our address, and their associated password, and later that web =service =3Dgets compromised, there is a decent chance when the hashes are dumped =that =3Dthey will have had to change our password and will no longer sync =them.=20 --=20 Shane Williams Senior Information Technology Manager School of Information, University of Texas at Austin shanew () ischool utexas edu - 512-471-9471
-- Shane Williams Senior Information Technology Manager School of Information, University of Texas at Austin shanew () ischool utexas edu - 512-471-9471
Current thread:
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Shane Williams (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Flynn, Gary - flynngn (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Carlos Lobato (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Chris Green (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Rich Graves (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)