Firewall Wizards mailing list archives
Re: password aging
From: Paul McNabb <mcnabb () argus-systems com>
Date: Mon, 31 Aug 1998 10:43:19 -0500 (CDT)
From: "Stephen P. Gibbons" <steve () aztech net> Respectfully, I don't think you've read a word that I've written.
Respectfully, I read everything several times before writing a response. The bottom line of all of this is the following: It is absolutely, positively guaranteed that any serious attacker over the age of 12 will be able to determine whether the password is failing the complex checks (yes, I'm VERY familiar with ALL you have mentioned) or if he has stumbled across someone's old or current password. Any argument to the contrary is an appeal to the entirely discredited "security through obscurity" arguments that are occasionally raised by novices in the security field. And yes, most users have patterns to their password selections, and knowing one or more can reduce the password namespace dramatically. For example, do you often add digits to the end of your passwords? the beginning? punctuation at the end? swap syllables? use initial or final upper case letters? People DO use patterns when selecting passwords. And if you want to try to limit that, you might as well use a password generation program and enforce a large and random password namespace. It seems it would be better to spend your time making a password generator that made easy-to-remember-yet-complex passwords. All of your fancy checking for "weak" passwords are wonderful! They are meaningful! They are good! They should be used! However, they should be used ONLY for checking passwords against a dictionary or the user's own password history, never against other users' passwords! ANY MECHANISM THAT YOU PROVIDE THAT REVEALS INFORMATION ABOUT ANOTHER USER'S PASSWORD CHOICES IS A SECURITY HOLE!! System wide password histories can never, never, under any circumstances provide any level of additional security!! The one exception is if your users are telling each other their passwords and using that information when changing their own passwords -- a situation that is so bad that no system-wide password history mechanism could hope to provide much help. The instant you install a system-wide password history mechanism, your system is less secure than it was. Stephen may not be able to accept this, but I hope that other security folks on this list avoid system-wide password histories like they would three day old roadkill. paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- Re: password aging Paul McNabb (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- <Possible follow-ups>
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
- Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
- Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
- Re: Re[2]: password aging Michael Shields (Sep 06)
(Thread continues...)