Re: Password Management Policy & Standards

[Brad Judy <brad.judy () CU EDU>]

Password expiration primarily protects in the situation in which a
password is compromised in an undetectable and unrepeatable manner.  If
you can detect the compromise, you can force a reset or lockout.  If the
attack is repeatable (endpoint malware, APT, etc) then the new password
can be obtained as well.

These singular, silent attacks are uncommon.  The scenario that password
expiration best protects from, IMO, is keeping the institutional password
out of sync with external passwords.  If you have to change your password
every six months, you are unlikely to run around to all other websites you
use to reset them to match.  Then if a third party site is compromised
(this happens frequently), the odds of the compromised password matching
the institutional one are greatly reduced.  A hack of a third-party site
is an extension of the undetectable and (potentially) unrepeatable
compromise scenario.

Sometimes we do detect these compromises, when the attackers are out for
publicity and pastebin the spoils of their attack, but I¹m sure for every
public disclosure there are many non-disclosed ones.

Brad Judy
 
Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu <http://www.cu.edu/>
 

 






On 2/26/16, 7:02 AM, "The EDUCAUSE Security Constituent Group Listserv on
behalf of Joanna Grama" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of
jgrama () EDUCAUSE EDU> wrote:

> Hi Mark,
>
> I have a strong preference for keeping lawyers happy over accountants;
> but that is just professional courtesy.
>
> Like many of the posts in this discussion, I do think the proper inquiry
> over password complexity and expiration is a risk-based inquiry that
> looks at the assets being protected and other safeguards in place to
> protect those assets.  I feel the same way about generically applicable
> standards that I do about "one size fits all" clothing--it very rarely
> fit perfectly and you always end up looking a little frumpy.
>
> Kind regards,
> Joanna
>
>
> Joanna Grama, JD, CISSP, CRISC, CIPT
> Director of IT GRC and Cybersecurity Programs
>
> EDUCAUSE
> Uncommon Thinking for the Common Good
> 282 Century Place, Suite 5000, Louisville, CO 80027
> direct: 720.406.6769 | main: 303.449.4430 | jgrama () educause edu
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark I. Berman
> Sent: Friday, February 26, 2016 7:02 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Management Policy & Standards
>
> Joanna,
>
> So what you're saying is that the reason to expire passwords is to make
> the accountants happy rather than any rational balancing of risk/reward?
> I think I probably agree with you. We just had a discussion here about
> whether we need to worry about password expiration and complexity so much
> if we move to two factor authentication. One thing that was brought up is
> that we might not even know if a password is compromised since the
> bad-guy still wouldn't be able to get in, lacking the second factor. And
> do we care at that point that the password was compromised.  Two factor
> auth certainly seems to throw a monkey wrench into the question of how
> important complex and frequently changed passwords really are!
>
> - Mark
> --
> Mark Berman, Chief Information Officer
> Siena College
> 515 Loudon Road
> Loudonville, NY  12211
> (518)782-6957,  Fax: (518)783-2590