Re: Password aging

[Dave Koontz <dkoontz () MBC EDU>]

> I totally agree that passwords per se are lousy security.  I'm just trying
> to understand the real risks and potential mitigations.

> I believe the use of biometrics is poorly understood by most people but
> that is a topic for another thread.

I agree about Biometric Devices, particularly with those Biometric devices
that still have a "Fail Safe" password system embedded in them.

This is a very interesting thread on passwords to be sure.  I can however
tell you that I've seen faculty members write their passwords down in
"Permanent Marker" on their monitor borders, students leave a piece of paper
in our public computer labs with all their various usernames and passwords
on it... not only to our network, but other services, including their
banking information.  I have seen departmental admins give a locked out user
their own username and password so they didn't have to deal with it when
they were at home eating dinner.  These are just a couple examples to be
sure.

The way I see things, password complexity is required to avoid simple Brute
Force attacks.  Change cycles are required to ensure that compromised
passwords are not good forever. Length requirements are needed to at least
SLOW down brute force decryption attempts, if not make it take years to
crack.  However, as with all things, there is a "median" or balance between
these three issues, and certainly the users work habit and needs should be a
part of that equation; but NOT the determing factor.

I've also read here where some say that banks do not require a user to
change their ATM / Check Card's PIN number.  While I believe they should and
eventually will require this, we need to remember that we've just changed
the argument dynamics here from a password only authentication system into
what amounts to a "Two Factor" authentication system; whereby a person would
not only need the password/pin, but also the additional "Token / Smart Card"
to make the system work to begin with.  Rather like comparing apples with
oranges IMO.

I believe therefore that the future of security will be in multi-factor
authentication. Until then, we need to do our best to protect our users and
their data with the tools we currently have, educate our users why this is
so important to safe guard not only them -  but the instituition's data, and
then help them with tips and suggestions to create/change passwords on a
regular cycle that are both complex but EASY to remember.  We have actually
had very good luck with this approach.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.