Educause Security Discussion mailing list archives
Re: Password aging
From: Angel L Cruz <cruz () AUSTIN UTEXAS EDU>
Date: Wed, 14 Jan 2004 12:22:18 -0600
Yes, passwords do need to be changed periodically. This is clear from reviewing GASSP, ISO 17799, COBIT, etc. -- it's a standard practice. Should it be 30, 60, 90, 180, 365 days? The devil in the details will always be how often it is changed. A google search of password aging at various intervals (up to 1 year) finds many hits for many intervals -- there is no one answer, it just depends on the environment and their risk "pain threshold". E.G. VISA's Account Info Sec documentation under Managing Static Passwords suggests a 30 day aging rule. This is clearly based on their risk assessment and their pain threshold for monetary loss. Password aging decisions should be based on empirical vice imperial evidence -- and I believe Gary's point about use of same passwords on yahoo, e-bay, etc. reveals a major exposure that should be strongly considered among the many issues in an access controls risk assessment. So, is there policy in place to discourage such practices? Well, how do you check? Now 2-factor is clearly the way to go, but the economics, scalability, and multi-platform requirements issues involved in large HE environments still scare many of us. Let's hope pricing models improve soon so we can at least take a stab at solving the scalability and multi-platform issues. Mr. Angel L. Cruz, CISSP Director & University ISO The University of Texas at Austin 1 University Station MAI 26 G0900 Austin, TX 78712 (512) 475-9462 a.cruz () its utexas edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, January 14, 2004 11:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password aging While it is debatable how *often* a password should be changed (the result of adding the compound probabilities of each form of threat to its secrecy), I would assert that no password should be permitted to remain unchanged ad infinatum, no matter how complex or well-guarded it is. A reason changing ATM PINs is not as important is that ATM's rely on a 2-factor authenticator. Someone has to learn the PIN, *and* obtain the card. Presuming users can keep tabs on one or the other (ideally both), the surety can remain sufficiently high. However, a problem with password stagnation could be cast as a corollary question: "do you know who else knows your password". None of us can answer "yes" with certainty, only probability, because we may never know if it has been intercepted, we can only hope that it hasn't. That surety degrades over time, due to the repetition of exposures as it is used. Two such risks of 'secret-leakage' are the old saw, network eavesdropping, another is user-caused: Using the same password for their enterprise account as they do on some less-secure service, where it may be much more subject to interception (also without the user's knowledge). David L. Wasley wrote:
I wonder about the rationale for requiring periodic password changes. I believe I understand why it was necessary in the past but is it still reasonable? What is the risk that is mitigated by that requirement? I assume that modern systems - require sufficiently complex passwords to start with - do not allow downloading of the /etc/passwd (or equivalent) file - lock account access after a few failed password attempts Therefore, guessing a password should prove very difficult and there isn't any other way to gain knowledge of it. Even if you accept that it might be guessed, so might the new one. Therefore why require that it be changed? As to people "sharing" or writing down passwords, they'll just share or write down the new one each time. Thus changing passwords periodically does nothing to address this problem of human nature. If a person becomes aware that their password might have been compromised, they should then change their password just as they should request a PKI cert be revoked if the private key is compromised. I suppose one could imagine a scenario where an attacker tries a dictionary-like attack until the target locks up, waits for it to be reopened, and then continues trying. Assuming the user never wonders why their account is continually locking up, the attacker might eventually hit on the actual password. However, requiring the user to change their password periodically or even every time the account locks up wouldn't guarantee that the attacker would never succeed (even if you knew what strings they had already tried some other hacker might start again at the beginning). So can someone define what the rationale might be for requiring password changes? How often do folks change the PIN on their ATM cards? Thanks, David ********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ "...mind the gap" ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password aging, (continued)
- Re: Password aging Jim Moore (Jan 13)
- Re: Password aging Steve Worona (Jan 13)
- Re: Password aging Gary Flynn (Jan 13)
- Re: Password aging Jim Moore (Jan 14)
- Re: Password aging Steve Worona (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Craig W. Drake (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
- Re: Password aging Gary Flynn (Jan 14)
- Re: Password aging Dave Koontz (Jan 14)
- Re: Password aging Cal Frye (Jan 15)
- Re: Password aging Gary Dobbins (Jan 15)
- Re: Password aging Dennis Maloney (Jan 16)
- Re: Password aging Gordon D. Wishon (Jan 17)