Path: utzoo!attcan!uunet!husc6!cmcl2!adm!xadmx!mchinni@ardec.arpa From: mchinni@ardec.arpa (Michael J. Chinni, SMCAR-CCS-E) Newsgroups: comp.unix.wizards Subject: [Lynn R Grant: Password Aging] Message-ID: <17981@adm.BRL.MIL> Date: 28 Dec 88 14:00:16 GMT Sender: news@adm.BRL.MIL Lines: 42 F Y I ----- Forwarded message # 1: Received: from [192.12.8.6] by ARDEC-CC1.ARDEC.ARPA id aa10257; 27 Dec 88 19:02 EST Received: from [128.6.4.15] by IMD.PICA.ARMY.MIL id aa16810; 27 Dec 88 19:03 EST Sender: security%pyrite.rutgers.edu@PICA.ARMY.MIL Date: Wed, 14 Dec 88 15:40 EST From: Lynn R Grant Subject: Password Aging To: Security@RUTGERS.EDU Message-ID: <8812271903.aa16810@IMD.PICA.ARMY.MIL> Re: Bernie Cosell's question about the usefulness of password aging: Password aging minimizes the amount of time that your password is open to attack. You may have a well-chosen password, but the longer it is used, the more likely it is that someone has looked over your shoulder and seen you enter it, or a line-tapper has read it off your communication line, or, if you are the type that writes your good password on a piece of paper, someone has discovered it. The DoD Password management guideline has another good use of this, though I have never seen it implemented the way they describe. Most systems I have seen will suspend your userid after you enter some number of incorrect passwords. You must then get a security administrator to reset it. This leaves you open to an easy denial-of-service attack. And if someone does it to all your security administrators, the whole shop is in trouble. To counter this, the DoD guideline suggests making the logon process get slower after the first few bad passwords are entered for a particular userid. That limits how many passwords can be tried in a given length of time, without leaving you open to the denial-of-service attack. If you calculate how many trys it will take on the average to guess your password, you can set up your password so it expires before then, making a brute force attack much harder. Lynn Grant ----- End of forwarded messages