Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Mon, 13 Apr 2009 22:19:11 -0400
An encouraging thing I have seen recently is with my 16 and 22 year old. I asked one of them for the password to their laptop recently and he was hesitant to give it to me - not because they didn't want me into the machine but because it was a passphrase that was 22 characters long. I took that example and recently asked in my class (I also teach a course in InfoSec and Privacy at UC) how many students used a: * greater than 12 character password and then a greater than 18 character and then a greater than 23 character --> the winner during the last three courses was 24 characters and many of the students used a passphrase that was 12 or greater characters I agree with your comment that folks who do circumvent the controls really need to be held responsible. Just because someone may circumvent our controls (stop the back fire door open for example) does not mean we should stop designing and putting the controls in place (lock the door). We can all cite examples from many years ago when IT resources and others shared passwords ( I ran a help desk for a fortune 35 at the time and thought nothing of "borrowing" a password from one of my employees - we all did it) , posted passwords under keyboards, etc. I like to think that the recent TV commercials, news articles, 60 minute shows, etc. have made folks more aware and less apt to take actions like the one cited by the secretary below. I have to admit that I find it difficult to comprehend that we, as security professionals, debate the benefits of passwords that change at intervals. Password management is cited in just about all the standards we ask others to follow - NIST, ISO 27002:2005, the CAG, COBIT, etc. If we don't buy into it our community members can't be expected to. I do recall that the one thing hammered into my head during my CISSP bootcamp with Dr. Cole was that a brute force attack against passwords CAN't be stopped if the attacker is given unlimited time and that long passwords that change frequently are a proper and effective defense against that activity. If we believe in layered defense or defense in depth I see no reason why we would take forcing mandatory password changes out of our defensive armament. -Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified Assistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David L. Wasley [dlwasley () EARTHLINK NET] Sent: Monday, April 13, 2009 9:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Complexity and Aging I too tend to be suspicious of forced password changes. Brute force attacks can be mitigated in other ways. Potential sharing of passwords is also a weak argument since anyone who shares will share again. If they share they should know they will be held responsible for any consequences, and be given an alternative if there is good reason to share access. Some years ago, in the organization in which I worked, one of the offices required monthly changes of all desktop user passwords. This of course was frustrating for the 40+ people in that office so someone there came up with a solution: the department's secretary kept all the passwords on a piece of paper in her unlocked file cabinet. Each month she would change everyone's individual password to contain a different "last 2 digits" - representing the month number (01, 02, 03 ...). A lot of work for her but easy for everyone to remember. Yes - Everyone! (I suggested they at least lock the file cabinet ...) David ----- At 2:13 PM -0700 on 4/13/09, Karl Heins wrote:
Several years ago our external auditors (PWC) made a recommendation to change the password aging from 90 to 60 days at one campus and also made a recommendation to change the password aging from 60 to 30 days at another campus. The CIO asked me what would be the basis for either the 30 or 60 days. This started my interest in this topic. With over 20 years of IT audit experience, including 10 years at a large CPA firm (3 years in the national office), and after spending some time on the topic, I was unable to identify a good basis for either the 30, 60 or any number of days. So, working with the System wide UC CIO, we looked into our experiences with the password aging. With hundreds of systems and many problems with our combined experience, we were not able to find a single actual case where just aging out a password would have made a difference. I also challenged our auditors PWC to show a basis for their recommendations, no factual cases where there would have been a change in results. As a result I see little value in changing passwords just because of the passage of time. Aging passwords seems like good idea, however there appears little factual evidence supporting this effort. While my work was antidotal and lacks the rigor of good research, it would help if I could point to a single factual case where not aging passwords would have prevented a problem. To date, I have no such case. Don't feel that I am soft on controls or passwords, I consider other password controls critical to a good internal control system. I can point to plenty of cases where sharing passwords caused a problem. Problems that cost the organization real dollars of loss. I also feel that strong passwords are important, I feel that passwords should be hashed (not saved in the clear), and that anytime a password compromised it should be changed. Password be a good, effective, inexpensive control if handled properly. I realize that the password changing process is a part of every auditor, regulator and security person's standard checklist. I am not oppose to changing passwords periodically, I just see very little value in changing because the passage of time. An I continue to look for that first case where aging would have made a difference. Respectfully and with an open mind Karl ------------------------ Karl Heins Chief Information Security Officer University of California, Santa Barbara Karl.Heins () oist ucsb edu (805) 893-8843
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Perloff, Jim (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 14)
- Re: Password Complexity and Aging Perloff, Jim (Apr 30)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 30)
- Re: Password Complexity and Aging Vedda, Michael (Mike) (Apr 30)
(Thread continues...)