IP: DoD password management -- from Risks

[Dave Farber <farber () cis upenn edu>]

> Date: Wed, 21 Jul 1999 22:29:29 -0400
> From: [Identity withheld by request]
> Subject: DoD password management
>
>   [This message is from Department of the Army civilian who has had Military
>   active duty (53) system administration duties.  His or her identity is
>   withheld for obvious reasons.  PGN]
>
> I am an employee (15 + years) in the Department of Defense.  In the last few
> days I have received the most ludicrous requirement yet.  It applies to
> every part of DoD.  It requires us to change every password on every system
> and then power down and power up the system.  I have been told this was
> signed off by the Secretary of Defense upon urging by his Joint Task Force
> for computer security.  For Army systems, this came in the form of a
> majordomo message.  Last night I found out that it the aftermath of an
> incident.  Prior to this knowledge, a lot of us thought that this was just
> an exercise.
>
> When the initial message came in, MACOMS (Major Army Command typically 4
> stars), RCERTS, and other institutions were called to see if this was a
> hoax.  It turns out it wasn't.  They actually want us to complete this
> requirement in less than 4 weeks.  Initially, we weren't told the reason for
> the requirement -- just to get it done.
>
> Shortly thereafter, we received another report that tells us (1) not to use
> the word "password" when directing our users to do this, (2) to use verbiage
> to our users explaining the need for the password change that is untrue, (3)
> to have the users change their passwords themselves rather that have the
> system force them to do it.  On (2), I don't think they intentionally wanted
> us to lie; just obscure the reasons.  I first take issue that they have us
> (Sys Admin/Net Admin) mislead our installation users (another risk).  Along
> with every IT (govt. employee, contract, military) person whom I have talked
> to at my installation, I think this requirement is overkill.  In addition to
> using a lot of resources, it causes us the question the credibility of the
> people who are making these decisions.  This in itself is a major risk.
>
> Other thoughts:
>
> 1. Some people and sysadmins have about (3-7) passwords for various
>    systems.  If they have to change all their passwords they are likely to
>    recycle the same passwords, on different systems.  
>
> 2. I have spoken with my counterparts at different Army installations.  For
>    the most part they want to define the problem away (i.e., NT domain
>    account is not computer account -- it is a resource account).
>
> DoD is starting to take computer security seriously.  However, they are
> using sledgehammers to stamp out flies.  By doing this they make us (sys
> admins/net admins) question their capabilities.
>
> There are several issues here. (1) military Vs civilian, (2) overreliance on
> FUD contractors, and (3) honesty between levels of commands.
>
> [Signed] A concerned but disillusion DoD employee
>
>   [There are certainly some pockets of enlightenment within DoD,
>   but there are also some incredible examples of ostrich mentality,
>   with heads in the sand.  By the way, changing passwords does not
>   help if sniffers are already in place.  The deeper problem, familiar
>   to RISKS readers, is the pervasive use of fixed passwords in the 
>   first place.  PGN]