Disagree about the expiration

Post #203,465 by hnick 4/15/05 10:43:10 AM Reply	Disagree about the expiration Some time ago I read a paper which showed that constantly changing passwords was acutally less secure than just using a strong password in the first place. Eventually you are going to have passwords written down and defeats the point of the whole thing. It is a particular pain in the butt for me as I use half a dozen computers (not necessarily the same ones) in the course of a day and I keep having to figure out which password was loaded on which machine. My 0.02 Hugh
Post #203,471 by Silverlock 4/15/05 11:21:07 AM 4/15/05 11:50:01 AM Reply	"feel free to adapt" I wasn't in agreement with it either but had to follow instructions from higher up. Edit: more opinion I would prefer even stronger password requirements* with expiration set to 90 days. * 20 characters minimum require at least two numerals require at least two special/punctation characters require at least two capital letters and at least two lower case. ----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken Support our troops, Impeach Bush. D. D. Richards Edited by Silverlock April 15, 2005, 11:21:47 AM EDT Edited by Silverlock April 15, 2005, 11:50:01 AM EDT Expand All History
Post #203,477 by Yendor 4/15/05 11:52:47 AM Reply	Re: "feel free to adapt" Any restrictions put on passwords (20 character minimum, must have at least X number of <special character>) make passwords easier to crack by helping the Bad Guys (with automated attack schemes) narrow down their list of Passwords To Try. -YendorMike "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #203,479 by Silverlock 4/15/05 12:11:37 PM Reply	Are you sure about that? Restrictions that require more complexity than users would ordinarily use would seem to make the Bad Guy's job harder to me. But this wouldn't be the first time I've been bit by a counter-intuitive thingamajig. ----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken Support our troops, Impeach Bush. D. D. Richards
Post #203,480 by Yendor 4/15/05 12:32:00 PM Reply	Let's say I'm a bad guy I don't know a thing about the password scheme at your company. For simplicity's sake, let's say that I assume that your passwords can have anywhere between 1 and 20 characters, in any combination. I'm going to write some kind of loop that goes over all characters in all combinations in all lengths between 1 and 20 characters. But wait! I've just seen your company's memo that tells me <what you stated above, including that all passwords must be a minimum of 20 characters>! Someone decided to bitch about it on fuckedcompany.com! You have just SIGNIFICANTLY reduced the number of passwords that I need to try, as I can fine-tune my algorithm to match those specs. -YendorMike "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #203,486 by JayMehaffey 4/15/05 1:09:01 PM Reply	On the other hand On the other hand, if the company doesn't set any standards a hacker will probably get half of the passwords by the time he reaches 5 character length. You really need to set a resonable mininum on these things. But at the same time you need to realize that everything you fix is another piece of information that a hacker might be able to use to narrow his search space. If you don't require a mix of letters and numbers, most people won't and a smart hacker will push them to the bottom of his search routine. Odds are this will save the hacker more work then the reverse, where the hacker knows he can leave all pure character passwords off the list entirly. Jay
Post #203,488 by Silverlock 4/15/05 1:42:53 PM Reply	Account locked after 5 bad passwords I would assume that would keep this from being a concern whereas simpler passwords would have a greater chance of being guessed before lockout. ----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken Support our troops, Impeach Bush. D. D. Richards
Post #203,491 by ben_tilly 4/15/05 2:10:27 PM Reply	You are an incompetent bad guy The competent ones have dictionaries of a few thousand likely passwords that they try on every login first. These will crack a significant fraction of accounts if there is no strong password policy, and running through them can be done reasonably fast. Now suppose that there are 10 characters in the password, which could be upper case, lower case, or numbers. 62 possibilities. That is 6210 possible combinations or 8.39299e17. Suppose that you are trying combinations at the rate of 1 billion per second. (You aren't, your CPU doesn't go nearly that fast.) Then it will only take you 8.39299e8 seconds to run through the possibilities. So after 13 years of hard work, the odds are still** against you succeeding. Too bad the password was changed on you 12 years and 11 months ago! Only incompetent bad guys use brute force on this problem unless the set of possible passwords is very limited. Cheers, Ben I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
Post #203,506 by Yendor 4/15/05 3:18:07 PM Reply	Granted... ...I'm not a bad guy. I'm not a security guy, either. But still, requiring "2 UC chars, 2 lc chars, and a byte of punctuation" reduces the number of possible permutations of passwords quite a bit. -YendorMike "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #203,511 by Silverlock 4/15/05 4:01:40 PM Reply	Disagree You are assuming that I am limiting the possible characters in a password given my scheme above. I submit that without the requirement of characters beyond lowercase letters, users will almost universally use only lowercase letters. So, mathematically speaking you are correct. In the real world of messy humans I think my scheme will, practically speaking, expand the number of possible passwords. ----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken Support our troops, Impeach Bush. D. D. Richards
Post #203,513 by ben_tilly 4/15/05 4:39:52 PM Reply	But not enough to be even remotely useful I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
Post #204,372 by dws 4/21/05 7:47:02 PM Reply	Re: Let's say I'm a bad guy If I'm the bad guy, I love policies like this. By making passwords harder to remember, people are pretty much forced to write their passwords down. All I need to do is get access to their offices, where I can look at the post-its on their monitors, look under their keyboards, or open their desk drawers.
Post #204,383 by hnick 4/22/05 7:44:21 AM Reply	BINGO! If you have a strong password initially and you have a lockout after a few attempts, there is no point in constantly changing unrememberable passwords. It just makes things worse.
Post #204,397 by tuberculosis 4/22/05 9:37:09 AM Reply	Yep, during security audit at gov agency I worked at the investigators explained they came up with over 50 valid logins without ever turning on a computer just by walking around the office after hours. "Whenever you find you are on the side of the majority, it is time to pause and reflect" --Mark Twain "The significant problems we face cannot be solved at the same level of thinking we were at when we created them." --Albert Einstein "This is still a dangerous world. It's a world of madmen and uncertainty and potential mental losses." --George W. Bush
Post #204,410 by Silverlock 4/22/05 10:57:58 AM Reply	What's the alternative? I hear the chorus, "this is stupid. it's to hard to remember. bad guys might take advantage of it." What alternative do you propose? What do you think will be simple enough that users won't write down passwords on post-it's? In my experience, there is no such animal. They will do that even if you only require a single character. ----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken Support our troops, Impeach Bush. D. D. Richards
Post #204,413 by Another Scott 4/22/05 11:12:12 AM Reply	Yeabut requiring frequent changes makes it worse. A reasonably complex password is required, but realistically it's probably necessary - in addition - to have an audit policy in place. Is there suspicious usage of accounts? Are account being used in new and unexplained ways? I don't know how you'd do that in an automated fashion that would be smart enough to catch unusual usage. I expect that few companies would be willing to dedicate a person or more to watching account activity. Maybe an additional statement like: "All activity on the corporate computers may be logged. You are responsible for the security of your account. Treat it like your Social Security number..." would help people to take passwords seriously. IMO, having a reasonably complex password that people can remember is much more important than changing them every 30 days. If they're complex and frequently change, then people will make cheat sheets. If things are audited, then I think yearly password changes are more than sufficient (and/or requiring changes when people leave). Cards or fingerprint readers is probably much more secure than complex, frequently changed passwords, given human nature. My $0.02. Cheers, Scott.
Post #204,426 by Silverlock 4/22/05 11:44:09 AM Reply	As I said before I would prefer complex passwords with a lengthy expiration. I am constrained by corporate policy in this matter and can only relay to my users the requirements. ----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken Support our troops, Impeach Bush. D. D. Richards
Post #204,429 by Another Scott 4/22/05 11:45:27 AM Reply	Understood. :-)
Post #204,415 by boxley 4/22/05 11:15:29 AM Reply	single signon with a 90 day passwd expiration 8 char minimum must contain alphanumeric and one special character. Pine4est! Me1ikebeer! as examples. thanx, bill All tribal myths are true, for a given value of "true" Terry Pratchett [link\|http://boxleys.blogspot.com/\|http://boxleys.blogspot.com/] Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 48 years. meep questions, help? [link\|mailto:pappas@catholic.org\|email pappas at catholic.org]
Post #204,430 by Silverlock 4/22/05 11:46:37 AM Reply	Single signon is a happy dream I would love it if it were so but I have no expectation of it happening anytime in the near future. ----------------------------------------- "In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican." -- H. L. Mencken Support our troops, Impeach Bush. D. D. Richards
Post #204,432 by jbrabeck 4/22/05 11:57:02 AM Reply	Problem with SSO You now have to educate users to lock computer when the walk away. Otherwise, anyone will have their access if the happen to catch workstation unattended. I will not use SSO, I'd rather log in to each application/system myself. Here SSO is being actively pushed/encouraged. All new apps MUST be SSO compatible. A good friend will come and bail you out of jail ... but, a true friend will be sitting next to you saying, "Damn...that was fun!"
Post #204,480 by admin 4/22/05 1:48:35 PM Reply	Pretty much everyone will write it down anyways Computer-knowledgeable people excluded (somewhat). Regards, -scott anderson "Welcome to Rivendell, Mr. Anderson..."
Post #203,492 by ben_tilly 4/15/05 2:12:00 PM Reply	Make the expiration longer than that. Forcing people to do what they don't want to do makes them cheat in ways that break your policy worse than the original did. Cheers, Ben I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)

Welcome to IWETHEY!