The purpose of this thread wasn't to suggest that anyone was doing evil by changing passwords. It was to question the premise of increased security by password changes of a relatively frequent nature.
Sure, that's what auditors will look for, just like they used to insist that the administrator account be renamed. Today's best practice isn't necessarily tomorrow's best practice because not only does technology change, but the circumstances change as well. I have no problem going on record saying that there is virtually no security benefit of a 30 day password age cycle over 60, 90, 120 or 180 days. And I have justified it with auditors. (The key thing is to document it and be consistent in application). Most of the security policies I have written or updated over the past few years have had the following characteristics as it pertains to passwords/passphrases: *Non-Privileged Accounts:* - Max Age: 90-120 days - Min Age: 1 Day - Password History: 4 - Length: 8-10 min - Complexity: Mixed case alphanumeric with special characters *Admin-level Accounts & Services:* - Max Age: 180-200 days - Min Age: 1 Day - Password History: 4 - Length: 16-20 chars *min* - Complexity: Full complexity (preferably random for service accounts) None of these environments has proven to be any less secure because of the longer password change cycle. We'll see best practices in this arena start to change over the next 12-24 months as people realize that it doesn't mitigate what people think it does -- nor could it. For the few environments where password cracking/theft continues to be a major vector for intrusion, they should have already adopted token-based multi-factor authentication. Add variableness to *each* logon. A week is too long. -ASB: http://XeeSM.com/AndrewBaker On Fri, Apr 16, 2010 at 1:39 PM, John Hornbuckle < [email protected]> wrote: > You’re assuming that having a user’s credentials allows the bad guy to > install a backdoor. It doesn’t necessarily, though, depending on other > security factors. > > > > And there’s the key… The goal is a layered security approach. We all know > that no one action, product, etc. will fix everything because there are so > many attack vectors. So we combine techniques, with the plan being that that > each technique will further improve security—even though we know that some > techniques are more effective than others. > > > > If the cost of implementing security exceeds the cost of a security > compromise, then we have a problem. I’m not convinced that requiring regular > password changes does this, though (depending on the interval, of course). > As I mentioned earlier, the time it takes is miniscule. In our case, > approximately one minute ever 60 days. If the user forgets their new > password, that could bump it up to five minutes since they’ll have to use > the self-service system to pick a new one—but I’m betting they don’t do that > more than a time or two before they start getting better about remembering. > > > > Another factor is liability. We deal with student records that, by law, > we’re obligated to keep private. I’m sure most every organization has some > sort of data on hand that’s governed by law from a privacy standpoint. If a > breach of security were to occur, I want to be able to prove that we > followed best practices for security. We’re probably going to do better in > court if we show that we’re adhering to the recommendations of the GAO and > the Florida Auditor General’s office. > > > > > > John > > > > > > > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Friday, April 16, 2010 1:05 PM > > *To:* NT System Admin Issues > *Subject:* Re: please don't change your password! > > > > *>>**Would I rather the bad guy had access to the user’s data for 180 > days, or 30 days?* > > > > Almost every bad-guy is going to attempt to create a backdoor on the system > such that the user credentials are no longer needed for access. > > > > Therefore, the difference between 30 days and infinity is negligible. > > > -ASB: http://XeeSM.com/AndrewBaker > > On Fri, Apr 16, 2010 at 11:02 AM, John Hornbuckle < > [email protected]> wrote: > > How do we mitigate the effect of passwords compromised as a result of > social engineering? User training is certainly a factor, but let’s say the > user still gives his/her password away to a bad guy. Would I rather the bad > guy had access to the user’s data for 180 days, or 30 days? > > > > I’m not actually advocating a 30-day change interval—just pointing out that > there are real security risks that password changes can mitigate. > > > > BTW… I forwarded the article to our state auditor; a recent audit issued a > finding against us for having a 90-day password expiration policy. She > remained unmoved. Her office follows the GAO’s FISCAM, which recommends: > “Passwords > are changed periodically, about every 30 to 90 days. The more sensitive the > data or the function, the more frequently passwords should be changed.” > Florida’s Auditor General goes with 60 days for network passwords. And > personally, I don’t find 60 days to be egregious. > > > > > > > > John > > > > > > > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Friday, April 16, 2010 10:49 AM > > > *To:* NT System Admin Issues > > *Subject:* Re: please don't change your password! > > > > Okay, let's look at it this way: > > > > Let's say that one environment has a 30 day password change policy, and > another has a 90 day change policy? > > > > In terms of raw opportunity for brute force attacks, the latter environment > has 2-3x the risk of attack as the former. In terms of *practical* > security differences, however, it is almost negligible. Why? > > - It doesn't take anywhere near 30 days to brute force passwords if you > had access to the hash > - Most attacks aren't going to try to brute force passwords remotely > because it is too obvious to notice in many cases > - You could spend far less time port scanning for vulnerable ports or > protocols > - You could spend far less time social engineering access to the > password > - You could spend far less time sending a well crafted email to take > advantage of a vulnerability or to spear phish the user > > > > So, other than the theoretical, there is very little difference in security > between the two aforementioned environments if maximum password age is all > that separates them. > > > > If someone intends to brute-force accounts in your domain, then even 7 days > is too long of a password age. Password length and complexity is vastly > more important to overall security than is password age. > > > > I'd rather be in an environment with password changes every 120-180 days, > and with passwords of 12+ characters, including special chars, than one with > your typical 8 characters and changes every 30-45 days. > > > > The practicality of the former significantly outweighs the latter. > > > -ASB: http://XeeSM.com/AndrewBaker > > > > On Fri, Apr 16, 2010 at 10:27 AM, John Hornbuckle < > [email protected]> wrote: > > I agree that scripted attacks (which aren’t mitigated by password changes) > dominate, and targeted attacks are less common. Nevertheless, the latter do > occur. As for brute-force attacks… Cryptography isn’t my specialty, but I > think you may be underestimating the time it takes to crack a complex > password/passphrase. > > > > Changing passwords is a nominal task. It takes maybe 60 seconds to do. The > real loss of productivity and introduction of new risk come from forgetting > the new password or writing it down and storing it in an obvious > location—both of which are behaviors that can easily be changed with a bit > of training. > > > > > > > > > > > > John > > > > > > > > > > > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Friday, April 16, 2010 10:14 AM > > > *To:* NT System Admin Issues > > *Subject:* Re: please don't change your password! > > > > *This fails to consider the situation where a user’s password is > compromised and the bad guy accesses the user’s information on an ongoing > basis. For instance, monitoring a folder that contains files with > information about patent filings to see when new files show up, or logging > into OWA to keep an eye on e-mail messages. The unauthorized access will end > once the password is changed (assuming a variety of other factors, such as > the bad guy not getting the new password, etc.), and thus requiring regular > password changes can be of value.* > > > > > > We live in a world where scripted attacks dominate, and where targeted > attacks are against highly privileged assets. > > > > Add to that, most scripted attacks are aimed at an application or OS or > protocol vulnerability, with the primary intent of sending spam or rooting > the machine in some way. > > > > Thus, the changing of passwords does little to mitigate any of the > aforementioned. > > > > Even a targeted attack is likely to take steps to elevate privileges and > creating a new account for the purpose of removing reliance on the > compromised account. > > > > > > *Similarly, regular password changes can mitigate the risk from > brute-force attacks. If a password has to be changed every 60 days, for > instance, the bad guy will only have 60 days to try to determine the user’s > password. This is generally considered to be better than the bad guy having > an infinite amount of time to try to determine it.* > > > > > > In most cases, it doesn't take weeks to brute force an account. Mostly > hours, and occasionally days. (Doesn't everyone have a quad-core system > or set of systems?) > > > > But that's not really the point. Most breaches today aren't accomplished > via brute force of the password. There are hundreds of other approaches to > get into systems remote that require far less time and effort, and all lead > to elevated rights. > > > > -ASB: http://XeeSM.com/AndrewBaker > > > > On Fri, Apr 16, 2010 at 8:51 AM, John Hornbuckle < > [email protected]> wrote: > > There’s a flaw in the logic. > > > > The Globe article states: > > > > “ . . . [U]sers are admonished to change passwords regularly, but redoing > them is not an effective preventive step against online infiltration unless > the cyber attacker (or evil colleague) who steals your sign-in sequence > waits to employ it until after you’ve switched to a new one, Herley wrote. > That’s about as likely as a crook lifting a house key and then waiting until > the lock is changed before sticking it in the door.” > > > > This fails to consider the situation where a user’s password is compromised > and the bad guy accesses the user’s information on an ongoing basis. For > instance, monitoring a folder that contains files with information about > patent filings to see when new files show up, or logging into OWA to keep > an eye on e-mail messages. The unauthorized access will end once the > password is changed (assuming a variety of other factors, such as the bad > guy not getting the new password, etc.), and thus requiring regular password > changes can be of value. > > > > Similarly, regular password changes can mitigate the risk from brute-force > attacks. If a password has to be changed every 60 days, for instance, the > bad guy will only have 60 days to try to determine the user’s password. This > is generally considered to be better than the bad guy having an infinite > amount of time to try to determine it. > > > > > > > > John Hornbuckle > > MIS Department > > Taylor County School District > > www.taylor.k12.fl.us > > > > > > > > > > > > *From:* Brian Clark [mailto:[email protected]] > *Sent:* Thursday, April 15, 2010 4:38 PM > > > *To:* NT System Admin Issues > > *Subject:* please don't change your password! > > > > After a long week doing a SBS migration I didn't know how to take this > article and needed to share it!! > > > > > http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=1 > > > > > > Brian > > > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > > > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > > > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
