*>>**Would I rather the bad guy had access to the user’s data for 180 days, or 30 days?*
Almost every bad-guy is going to attempt to create a backdoor on the system such that the user credentials are no longer needed for access. Therefore, the difference between 30 days and infinity is negligible. -ASB: http://XeeSM.com/AndrewBaker On Fri, Apr 16, 2010 at 11:02 AM, John Hornbuckle < [email protected]> wrote: > How do we mitigate the effect of passwords compromised as a result of > social engineering? User training is certainly a factor, but let’s say the > user still gives his/her password away to a bad guy. Would I rather the bad > guy had access to the user’s data for 180 days, or 30 days? > > > > I’m not actually advocating a 30-day change interval—just pointing out that > there are real security risks that password changes can mitigate. > > > > BTW… I forwarded the article to our state auditor; a recent audit issued a > finding against us for having a 90-day password expiration policy. She > remained unmoved. Her office follows the GAO’s FISCAM, which recommends: > “Passwords > are changed periodically, about every 30 to 90 days. The more sensitive the > data or the function, the more frequently passwords should be changed.” > Florida’s Auditor General goes with 60 days for network passwords. And > personally, I don’t find 60 days to be egregious. > > > > > > > > John > > > > > > > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Friday, April 16, 2010 10:49 AM > > *To:* NT System Admin Issues > *Subject:* Re: please don't change your password! > > > > Okay, let's look at it this way: > > > > Let's say that one environment has a 30 day password change policy, and > another has a 90 day change policy? > > > > In terms of raw opportunity for brute force attacks, the latter environment > has 2-3x the risk of attack as the former. In terms of *practical* > security differences, however, it is almost negligible. Why? > > - It doesn't take anywhere near 30 days to brute force passwords if you > had access to the hash > - Most attacks aren't going to try to brute force passwords remotely > because it is too obvious to notice in many cases > - You could spend far less time port scanning for vulnerable ports or > protocols > - You could spend far less time social engineering access to the > password > - You could spend far less time sending a well crafted email to take > advantage of a vulnerability or to spear phish the user > > > > So, other than the theoretical, there is very little difference in security > between the two aforementioned environments if maximum password age is all > that separates them. > > > > If someone intends to brute-force accounts in your domain, then even 7 days > is too long of a password age. Password length and complexity is vastly > more important to overall security than is password age. > > > > I'd rather be in an environment with password changes every 120-180 days, > and with passwords of 12+ characters, including special chars, than one with > your typical 8 characters and changes every 30-45 days. > > > > The practicality of the former significantly outweighs the latter. > > > -ASB: http://XeeSM.com/AndrewBaker > > > On Fri, Apr 16, 2010 at 10:27 AM, John Hornbuckle < > [email protected]> wrote: > > I agree that scripted attacks (which aren’t mitigated by password changes) > dominate, and targeted attacks are less common. Nevertheless, the latter do > occur. As for brute-force attacks… Cryptography isn’t my specialty, but I > think you may be underestimating the time it takes to crack a complex > password/passphrase. > > > > Changing passwords is a nominal task. It takes maybe 60 seconds to do. The > real loss of productivity and introduction of new risk come from forgetting > the new password or writing it down and storing it in an obvious > location—both of which are behaviors that can easily be changed with a bit > of training. > > > > > > > > > > > > John > > > > > > > > > > > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Friday, April 16, 2010 10:14 AM > > > *To:* NT System Admin Issues > > *Subject:* Re: please don't change your password! > > > > *This fails to consider the situation where a user’s password is > compromised and the bad guy accesses the user’s information on an ongoing > basis. For instance, monitoring a folder that contains files with > information about patent filings to see when new files show up, or logging > into OWA to keep an eye on e-mail messages. The unauthorized access will end > once the password is changed (assuming a variety of other factors, such as > the bad guy not getting the new password, etc.), and thus requiring regular > password changes can be of value.* > > > > > > We live in a world where scripted attacks dominate, and where targeted > attacks are against highly privileged assets. > > > > Add to that, most scripted attacks are aimed at an application or OS or > protocol vulnerability, with the primary intent of sending spam or rooting > the machine in some way. > > > > Thus, the changing of passwords does little to mitigate any of the > aforementioned. > > > > Even a targeted attack is likely to take steps to elevate privileges and > creating a new account for the purpose of removing reliance on the > compromised account. > > > > > > *Similarly, regular password changes can mitigate the risk from > brute-force attacks. If a password has to be changed every 60 days, for > instance, the bad guy will only have 60 days to try to determine the user’s > password. This is generally considered to be better than the bad guy having > an infinite amount of time to try to determine it.* > > > > > > In most cases, it doesn't take weeks to brute force an account. Mostly > hours, and occasionally days. (Doesn't everyone have a quad-core system > or set of systems?) > > > > But that's not really the point. Most breaches today aren't accomplished > via brute force of the password. There are hundreds of other approaches to > get into systems remote that require far less time and effort, and all lead > to elevated rights. > > > > -ASB: http://XeeSM.com/AndrewBaker > > > > On Fri, Apr 16, 2010 at 8:51 AM, John Hornbuckle < > [email protected]> wrote: > > There’s a flaw in the logic. > > > > The Globe article states: > > > > “ . . . [U]sers are admonished to change passwords regularly, but redoing > them is not an effective preventive step against online infiltration unless > the cyber attacker (or evil colleague) who steals your sign-in sequence > waits to employ it until after you’ve switched to a new one, Herley wrote. > That’s about as likely as a crook lifting a house key and then waiting until > the lock is changed before sticking it in the door.” > > > > This fails to consider the situation where a user’s password is compromised > and the bad guy accesses the user’s information on an ongoing basis. For > instance, monitoring a folder that contains files with information about > patent filings to see when new files show up, or logging into OWA to keep > an eye on e-mail messages. The unauthorized access will end once the > password is changed (assuming a variety of other factors, such as the bad > guy not getting the new password, etc.), and thus requiring regular password > changes can be of value. > > > > Similarly, regular password changes can mitigate the risk from brute-force > attacks. If a password has to be changed every 60 days, for instance, the > bad guy will only have 60 days to try to determine the user’s password. This > is generally considered to be better than the bad guy having an infinite > amount of time to try to determine it. > > > > > > > > John Hornbuckle > > MIS Department > > Taylor County School District > > www.taylor.k12.fl.us > > > > > > > > > > > > *From:* Brian Clark [mailto:[email protected]] > *Sent:* Thursday, April 15, 2010 4:38 PM > > > *To:* NT System Admin Issues > > *Subject:* please don't change your password! > > > > After a long week doing a SBS migration I didn't know how to take this > article and needed to share it!! > > > > > http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=1 > > > > > > Brian > > > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > > > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
