Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

[Ruth Ginzberg <rginzberg () UWSA EDU>]

Many of us (myself included) commit various "password re-use" sins. (Attention (ISC)2: if you need evidence for 
relieving me of my infosec certification here it is) 

Look: from a practical point of view: I have been using some version of the Internet since before the Internet per se 
existed (from that you may correctly infer that I am a Dinosaur). For all of that time, various entities have been 
requiring login/password combos to access both significantly sensitive, secret or confidential ... and also trivial ... 
data and functionality. I have had to create 100's (maybe even >1000) of login/password combos in my lifetime, and 
probably currently still have ~75 that are in some sense "active." Nevermind all the abandoned or "changed" ones from 
decades past that are probably stored insecurely Heaven-only-knows-where. 

As a mere human -- I do not possess either the creativity or the memory capacity to create and remember that many 
different login/password combos, AND to remember if/when I may be re-using something I already used somewhere years or 
decades ago. 

So I cheat. I have some relatively simple algorithms for creating login/password combos that exist only in my head, but 
I have no illusions about those algorithms being so complex that they couldn't easily be derived if some malicious 
actor had a few examples of them to work with. 

As I get older, my "cheating" is getting less and less complicated and probably more and more obvious. 

The reason I am only mildly concerned about this is because if a login/password (which is, after all, only single, not 
multi- factor authentication) is the only thing standing between me and some nefarious data thief ... I figure I'm 
already s****ed and probably shouldn't be using that site / service at all. 







Ruth Ginzberg, CISSP, CTPS 

Sr. I.T. Procurement Specialist 
University of Wisconsin System 

rginzberg () uwsa edu 
608-890-3961 

----- Original Message -----

From: "Roger A Safian" <r-safian () NORTHWESTERN EDU> 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Sent: Thursday, April 3, 2014 8:20:36 AM 
Subject: Re: [SECURITY] Password expiration - was Re: [SECURITY] Security Awareness Programs 

> Unless you are "lucky" and the exposure happens just prior to password 
> expiration, you're comfortable waiting probably months until expiration for 
> the users to change their password? 

I think you're making the assumption that the passwords are synced, and the compromise of the remote service all happen 
around the same time. As you have seen from the many compromised password files published these compromises often 
happen years after the fact, so in many cases the passwords would have been changed multiple times. In fact, after 
speaking to many of our users that fall into this category, more often than not they are no longer using the service 
that stored the compromised password any more. 

Make no mistake, password changes are not the solution, but, they can be an effective tool to mitigate risk of your 
passwords on remote systems.