Educause Security Discussion mailing list archives

Re: Active Directory Password Strength

From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 15 Nov 2005 09:14:39 -0600

From: Bradley Ellis [mailto:Bradley.Ellis () ITS MONASH EDU AU]

Also, you've got the cost of managing (eg service desk calls)
complex passwords ... Which makes me wonder if people have
comparitive studies from a overall cost of complex passwords
vs two factor or other authentication measures - but that is
a different argument all together.


I don't think it is another argument; you have to take all
factors into account in setting a security policy.  A related
one is that every time you change your password you increase
the risk of disclosure, for several reasons including that
if you picked a strong password you probably had to write it
down for at least the first few weeks until you learned it
by rote; also you'll be typing more slowly and will be easier
to shoulder surf.  Personally I think that if you have a
stong password which has not been cracked in a year of use
you might as well keep it indefinitely.  You *know* it isn't
crackable, you don't know that for sure about your new one.

The *only* advantage that changing your password offers is in
the case when someone did intercept your password but decided
not to use it for a long time, perhaps to cover where they got
it from.  In most other situations, the outcome is the same
regardless of whether they got your old password or your new
password.

The real conclusion of course is that passwords have had their
day and it's time to find something else.  They're just so
damn *useful* is all.  (I have myself tried in the distant
past other methods such as a pad of one-time-use passwords -
the low-tech version that doesn't rely on having a piece of
hardware - and it was just too much of a pain for day to day
use.)

Anyway, bottom line: I think that changing your password is itself
a source of vulnerability and I disagree with the received wisdom
that it is necessary.  (I used to have good arguments with our
internal auditor over this :-) )  Just pick a good password, and
once you've memorized it, stick with it unless you see signs that
your account has been compromised.  (Now, being sure that you will
detect a compromise, that is a different argument altogether... Oh
wait, what did I say earlier ;-) )

G

Current thread:

Active Directory Password Strength Cary, Kim (Nov 14)
- <Possible follow-ups>
- Re: Active Directory Password Strength Tim Howard (Nov 14)
- Re: Active Directory Password Strength Stewart, Ian (Nov 14)
- Re: Active Directory Password Strength Lucas, Bryan (Nov 14)
- Re: Active Directory Password Strength Bradley Ellis (Nov 14)
- Re: Active Directory Password Strength Graham Toal (Nov 15)
- Re: Active Directory Password Strength Russell Fulton (Nov 15)
- Re: Active Directory Password Strength Cary, Kim (Nov 16)
- Re: Active Directory Password Strength Graham Toal (Nov 16)
- Re: Active Directory Password Strength Eric Brewer (Nov 16)
- Re: Active Directory Password Strength Riedl, Steve Thomas (Nov 17)
- Re: Active Directory Password Strength Russell Fulton (Nov 25)