Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!crdgw1!uunet!pilchuck!dataio!gtenmc!joe
From: joe@gtenmc.UUCP (Joe Kelsey)
Newsgroups: comp.misc
Subject: (In)security of passwords
Summary: Expiring passwords considered insecure.
Keywords: security password
Message-ID: <1097@gtenmc.UUCP>
Date: 25 Mar 91 20:15:47 GMT
Organization: GTE Telecom Inc., Bothell, WA
Lines: 28

GTE Corporate auditors are currently on a rampage around the company,
essentially forcing all computer system managers to implement password
expiration.  I am personally convinced that the auditors are misguided and
believe that password expiration systems are actually *less* secure than other
forms of security.

My question is, are there any studies that can back up my feelings here.  I
have a copy of the old Thompson and Morris paper on UNIX password security,
but all that they considered was password length, and they don't address the
relative security of password expiration.  I have been arguing with the
various local system managers that *requiring* users to changes their
passwords every 30 days makes the system *less* secure than it was before,
because it *forces* people to either choose trivial passwords (i.e.,
dictionary entries, etc.) or to write down their passwords.

I have a gut feeling that the best password scheme is one which makes you
choose your own password that is not in a dictionary and that is more than 6
characters long, including one or more non-alphanumeric characters.  My
contention is that a password chosen this way is so secure that you do not
need any other scheme, especially not password expiration.

Are there any security studies that validate my contention?  I would really
like to fight what I consider to be a misguided corporate policy before it
becomes too entrenched.

Thanks in advance.

/Joe