nanog mailing list archives
Remembering history passwords may be bad, but they are getting worse
From: Sean Donelan <sean () donelan com>
Date: Mon, 28 Jul 2003 01:00:55 -0400 (EDT)
On Sun, 27 Jul 2003, Stephen Sprunk wrote:
There's a staggering number of web sites that won't allow me to use non-alphanumeric characters in my passwords at all. I've even run into a few which also don't allow and/or preserve upper-case letters. Those who fail to learn the lessons of history...
Its even worse, we're actually moving backwards. Not only users, but even "security consultants" don't understanding the history. They have checklists. The checklist says you must change the password every 30 days pass/fail. If you go to the library (or use Google) and look up the Green Book, you'll find password lifetime was not a critical factor. The Green Book has the somewhat arbitrary recommendation for a 1 year password lifetime. The original analysis was based on 300/1200 baud modems, but even that isn't relevant *PROVIDED* you implement the other recommendations in the Green Book. Most bank 4-6 numeric PINs have indefinite lifetimes. Most ISPs don't require consumers to change network passwords. The problem is fewer and fewer modern systems implement the other recommendations. So password lifetime has become the primary protection factor. How many systems notify the user - the date and time of user's last login - the location of the user at the last login - unsuccessfull login attempts since last successful login How many web systems control the rate of login attempts - by source - by userid How many web systems notify anyone or block the account after N unsuccessful login attempts either temporarily or permanently Systems like VAX/VMS had a relatively sophisticated intrusion detection and evasion process built into the the operating system by the 1980's. Note: if the user's PC has been compromised it doesn't matter how frequently they change their password. Even pseudo-random one-time-password systems are vulnerable when the user's system has been compromised (as some mobsters found out when the FBI infiltrated their systems).
Current thread:
- Re: User negligence?, (continued)
- Re: User negligence? Kandra Nygårds (Jul 27)
- Re: User negligence? Owen DeLong (Jul 27)
- Re: User negligence? James H. Cloos Jr. (Jul 27)
- Re: User negligence? JC Dill (Jul 27)
- Re: User negligence? David Lesher (Jul 27)
- Re: User negligence? JC Dill (Jul 27)
- Re: User negligence? Christopher L. Morrow (Jul 27)
- Re: User negligence? Stephen Sprunk (Jul 27)
- Re: User negligence? ken emery (Jul 27)
- Re: User negligence? Peter Galbavy (Jul 28)
- Remembering history passwords may be bad, but they are getting worse Sean Donelan (Jul 27)
- Message not available
- Re: Remembering history passwords may be bad, but they are getting worse Kevin Day (Jul 27)
- Re: Remembering history passwords may be bad, but they are getting worse Peter Galbavy (Jul 27)
- Re: Remembering history passwords may be bad, but they are getting worse Scott Call (Jul 28)
- Learning more about authentication and passwords Sean Donelan (Jul 29)
- Re: Learning more about authentication and passwords Dave Israel (Jul 29)
- Re: Learning more about authentication and passwords Jason Dixon (Jul 29)
- Re: User negligence? Stephen Sprunk (Jul 27)