Path: utzoo!attcan!uunet!lll-winken!ames!haven!adm!xadmx!ncc!myrias!dbf@pyramid.com From: ncc!myrias!dbf@pyramid.com (David Ferrier) Newsgroups: comp.unix.wizards Subject: Re: Password Aging Message-ID: <18134@adm.BRL.MIL> Date: 18 Jan 89 15:54:42 GMT Sender: news@adm.BRL.MIL Lines: 103 >Password aging minimizes the amount of time that your password is open >to attack. You may have a well-chosen password, but the longer it is >used, the more likely it is that someone has [obtained it]... This sounds good, but no matter how they try to justify or explain it, password aging is one of those things that system administrators do that look really good to system administrators, auditors, and security consultants, but in practice does not give enough benefit to justify the tremendous inconvenience and loss of time caused to users and the organization. Security measures are put in place to prevent losses. If the cost over time of a security measure exceeds the probability of loss over time times the value of the assets, use of the security measure is bad management. Password aging is an example of a security measure, which, except for the CIA or other exceptional organizations, usually costs more to implement than the value of the assets protected. What does password aging buy you? -------------------------------- - it helps reduce risk by preventing access to the system and data by unauthorized users. Examination of past security incidents invariably shows that almost all damage done to systems or data was done by authorized users with passwords, not by the spooks that password aging is supposed to defend against. What are the risks of access by unauthorized users? ------------------------------------------------ - theft of machine cycles, unauthorized access to data, unauthorized modification or destruction of data. In most systems, the wastage of machine cycles by authorized users who are inexperienced or inefficient, or read dozens of USENET articles every day, far exceeds the possible cost of system use arising out of unauthorized access. As for data: signon passwords are only the first line of defense. Depending on the system, a user often has limited access to data. Unless unprotected data are not backed up, contain vital trade secrets, or there is no audit trail log generated of modifications to critical data, access by an unauthorized user is be much of a problem--not enough, anyway, to justify the cost of password aging. What is the objective improvement to security given by password aging? -------------- - who knows? How can you measure the likelyhood of a password being compromised when it is not changed regularly? A similar study might be done on people with wall safes who do not change the combination on a regular basis. What is the cost of password aging? ---------------------------------- - administrative: staffing a responsive corporate security department who can give out new passwords to users who tend to forget theirs when they have to change them regularly - user: need to build into project schedules enough slack to allow for loss of productivity due to being unable to access the system because a password has expired - organizational: replacing people who get fed up with the security run-around and leave Anything constructive to say about password aging? -------------------------------------------------- The following concepts came from working with a password aging system used by a Toronto computer utility that prevented reuse of any password for 20 cycles. Worse, it even prohibited use of near matches--"moon" and "fool" for example. Users had to keep a list of old passwords, because as a final diabolical twist, the system only gave you five tries to assign a valid new password when the old one expired, at which point use of your id was suspended. - If you must have password aging, keep it within reasonable bounds. As with any other corporate program, force the people proposing it to do a cost justification, and make a business case if they can for forcing people all over the company do regular password changes. - Make sure it is an option that you can control on an individual or departmental basis, so that only people with high risk data or extensive access rights are put to the inconvenience of changing passwords frequently, or at all. This control should extend to the number of generations of old passwords that are kept on file to ensure the new password does not replicate a previous password. -- David Ferrier Edmonton, Alberta alberta!myrias!dbf (403) 428 1616 [Moderator note: It looks like the upshot of this discussion is that aging isn't really much help... _H*]