Password Policy - What do you think?

[XTC46]

At home, I will make a terible admission, my user IDs and passwords are scotch taped to the boxes.........I have a wife .............and they are very complex passes.

IMO in some situations(such as homes) it is not -horrible- to write down the passwords for something. as long as the area they are in has good physical security, and it is ok for everyone that has access to that area to have the passwords, then its not such a big deal. For home computers where everyone is using it, and they are going to be sharing an account anyway, passowrds are reallly only there to stop remote access.

[zENGER]

The idea behind changing your password periodically is directly related to the fact that it is supposed to take longer to crack the password, than the life of the password. Using something like a 7 char password is by far no good enough to meet this principal. If you could produce a password that was uncrackable by the best equipment in say, 5 years, then not enforcing password changes would be very acceptable.

The other problems you run into are:

Sniffing - Periodic changes only somewhat effect this. It just means that the lifetime a hacker has your password is reduced. Items such as restricted login hours, location, and count are much better ways to reduce this threat.

Social Engineering - Again, if you have policies in place that restrict two users from using the same account, and don't all out of the norm operations then this isn't a big issue. If a user has a problem where he/she gave our his/her password he would understand that he needs to change his password right then, and not when it expires.

Writing down of password - This is by far the worst case senerio in any password management situation. Again, restricted logins diminish the harm that can be done from such a lapse.

In all three of these cases the periodic change only reduces the lifetime of the stolen password. Its really unlikely that after someone has stolen a password that they are going to use it for an extended amount of time anyway. With that information I would have to say then that the only measure that requires periodic changes would be to make the lifetime of the password less than the amount of time it would take to crack it.

Security is a total balancing act. You need to make the password cryptic and long enough to be effective, but short and memorable enough that someone won't write it down. If it were me, I would say increase the requirements of the password, say maybe 3 types of chars and 12 char minimum, and increase the lifetime of the password to maybe a year. The fact that a user doesn't have to change his password right after he finally starts to remember it will reduce the desire to write it down, yes increases the strength of the password. In the balancing act I feel this is the best situation.

[XTC46]

Considering in the "high end" (goverment level) passwords are cracked in minutes, and using good rainbow tables and other very effective methods of cracking passwords 1 year would not be acceptable. You would need to change your passwords more than daily. So your theory they the TTL of a password should be as long as it would take to crack is flawed(not wrong, becasue it is good logic, and in most cases can hold true, but still very flawed)

as far ass password legnth, 7 characters I think is an acceptable legnth fo lower level security such as desktop computers with little valuable information on them, home computers, things like that. If my 7 character password was "1@550!?!" it would probably take longer to crack then a 12 character on that looks like "ki11ingtim3!" (this meets your requirements) simply becasue of the way the password is set up. it is a phrase, using common "leet peech" which is included in all good dictionaries. so pasword legnth is not the only thing to consider, the password itself has alot to do with defense against attacks.

oh, and I would much rather have a server in a secure area with a post-it with the password writtin on it placed on the key board, then I would a server with no physical security and a strang password. If the attacker has physical access, no password will stop him.

[catch]

It all depends on the level of risk associated with your system. Complex, passwords with short lifespans ar just something admins have taken from the trusted operating system texts. It wasn't selected because it is anymore useful or sane for your traditional commerical level security system... than say a security kernel or MAC, but merely because it is really easy to implement.

That said:

1. Complex passwords that are required to be changed will show a statisitcally insignificant difference in the percentage of users writing down the passwords from simple permanent passwords. The only time you will see a difference is when it is made very clear to the users that you are now using simple passwords that don't need to be changed, however this will only last a short while. (if forced changes are required) My girlfriend is an excellent example, she uses one of two five letter words with no special casing for all of her passwords... yet she has these written in her phone, address book, notebook in her desk, etc. and she isn't ever required to change those passwords, from my experience she is typical of a non-IT worker using IT resources in this regard.

2. Users frequently use the same passwords for many things. For example, a user gets phished on their home computer or even uses a site like this. They register: [email protected] and use their_normal_password. Now the account has been compromised. Forcing users to change passwords regularly narrows down that window of vulnerability.

I am not sure complex passwords are really a must, I think so long as the login attempts are limited to 3-5 the chances of an attacker guessing a password, especially 7-8chars is very slim, even if it is something like "godcatch".

cheers,

catch

PS. to the rest of you, password hashes should never be accessible to untrusted users... so cracking is moot.

[Black Cluster]

First off, I would enforce my users to change their passwords periodically, I consider this practice a very good practice especially in the field of data security and integrity. In every company there is always someone to miss things up and never even care about changing their DEFAULT passwords. I think this enforcement can save a lot of time and money, we don't really need to fall in this pitfall before yielding to the policy of changing the password periodically.

Consider the following scenario, a negligent employee entered the password in the presence of a friend, colleague or even a client. This person might catch the password, and later try to gain access, without making sabotage, like going over and steal some sensitive data, if the password is not changed this person will still has a complete access to the data. This case is usually overlooked and neglected. {No countermeasure policy for such a case}.

Not to mention, many employee may open a work session from home, friend's house or even from a café. Here there is no guarantee that this PC is not watching the keyboard strokes {No guarantee of course}.

Believe me guys, in my country there are still people who don't even care about the passwords and their delicate mission. Even in the most hot seats. They keep all the doors of hell widely open, welcoming everyone.

My thoughts

Cheers

[jinxy]

At the end of the day a password is only as secure as the password holder is. All this fuss about passwords becomes moot if your password gives access to the Crown Jewels and some one is holding a gun to your childs head.

A far more secure system would encompass restricted access to a system, user verification and a covert method of telling whether a persons security has been compromised.

[catch]

At the end of the day a password is only as secure as the password holder is. All this fuss about passwords becomes moot if your password gives access to the Crown Jewels and some one is holding a gun to your childs head.

It's a good thing that BS7799 adresses this. (7.5.5) And to think, some people still find standards useless.

Also, just because something (like passwords) are not a complete solution, doesn't mean they shouldn't be discussed just because a situation might arise to nullify them.

A far more secure system would encompass restricted access to a system, user verification and a covert method of telling whether a persons security has been compromised.

Although true, these points are well beyond the scope of this conversation.

cheers,

catch

[Tryska]

by phrases are you saying something like:

pw = My dog is a rat bastard!


we were tossing that around over here for a bit, but it turned otu to not be compatible with some of the other stuff we are running. when that legacy stuff gets phased out i have no doubt we'll go that route.

i would still require a mandatory change tho - but perhaps every 6 months as opposed to every 30 days.

[jinxy]

Although true, these points are well beyond the scope of this conversation.

Well yes, I suppose they are. I would hazard to say, that to day, passwords are more a find a scapegoat technology than a security technology? Still a very important tool in a corporate or other inviroment none the less.

[catch]

I would hazard to say, that to day, passwords are more a find a scapegoat technology than a security technology?

I couldn't agree more, and I think that we will see password authentication phased out in the near future. I suspect it will be replaced by two-factor authentication involving either biometrics or something like smartcards... and by having the user answer soft matching questions.

I have seen a few systems like this already... that ask three simple questions. typically the user answers 10-20 questions when setting up the account. Of which 1-2 of the questions are fakes, eg: "When was your last trip to Europe?" If you've never been and this wasn't selected from the original set and you answer it, even if your other answers are correct this will act as a duress alarm.

The duress alarm typically initiates a fake session that is then disconnected giving a communications error, so the attacker doesn't know they were lied to.

After passwords phase out I think will see application level security phase out. People will realize that blaming applications for security issues is merely more scapgoating... and the real issue lies at the OS level. NGSCB is a stab at making this workable at the COTS level, I think we'll see good things.

cheers,

catch