Password Aging at the College of Charleston
Posted: August 20th, 2010 | Author: starrc@cs.cofc.edu | Filed under: Uncategorized | Tags: authentication, computer security, csatcofc, password aging | 7 Comments »When LDAP came along, I just knew life for users of IT on the College of Charleston campus would be so much better. Before LDAP we all had to keep up with multiple logins and multiple passwords, one for each computer system that required user authentication. Now that LDAP is here and stable, we have single sign on for multiple campus systems. However, the efficacy gains through LDAP are thwarted by password aging. Aging passwords, at least with the frequency selected and enforced by IT at the College, may cause more harm to computer security than it is intended to provide. There is certainly nothing wrong with requiring strong passwords. But the frequent aging of strong passwords begs three questions:
1) How does the user change a strong password to something different and still strong?
2) How does the user remember the next, new strong password?
3) How does the user remain patient with IT because the user has lost work that was interrupted by the non-negotiable demand to change one’s perfectly good strong password at the worst possible time.
Any thoughts on the matter of including the human in the security equation? There are solutions and plenty of data to back them up. What is your position? What would you recommend to the IT at the College of Charleston?
Gene Spafford wrote a good article “Security Myths and Passwords” as well as a follow-up in 2006 about this specifically.
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
We’re at the point where required password complexity is overtaking our ability to adequately remember. I’m convinced that multifactor authentication is really the only solution in the long term.
http://clay.blogdns.net/index.php/2010/08/27/computer-security-and-the-human-factor/
There are valid reasons to enforce regular password changes. Even if you have a strong password, let’s suppose you visit a website with malicious software embedded in an advertisement. (this is more common than most people realize) That software installs a keylogger on your computer and captures your e-mail password which happens to be the same as your network login. If your machine doesn’t show any symptoms of infection and the account isn’t immediately abused, such a breach could go unnoticed for quite some time. A good password expiration policy would force you to change your password invalidating the data captured by the keylogger. Combining this with a comprehensive anti-malware suite should be enough to mitigate this type of threat in most cases.
Most IT organizations that i have interacted with give the user a window of a few days to a month to change their password, which seems like a good policy because it allows the user to manage the switch. I am in favor of an annual change, which is a primary business frequency for renewals of all kinds.
To handle keeping track of your password, you can, for example, embed the four digit year or a HEX version of it in your strong password without loss of strength and change only that part each year and still pass the new password test IT throws down.
I find the key-logger argument a poor one, as once a key-logger is installed on your machine, you are basically toast: the key-logger can also detect your new password. If a key-logger is installed it is likely other spy-ware is installed as well.
One big benefit of the cloud is that each client machine becomes “thinner”, it can be more easily be re-imaged as a routine maintenance task, thus removing stale, alien, dangerous and polluted entities.
You should never use regular patterns like incrementing a date, or dictionary words in your password. These are the first things most brute-force attacks will try. Remember, the programmers who write the attack software have thought of these things too.
If you are relying solely on a password to authenticate users, those passwords have to be changed at some interval to ensure they haven’t been compromised. Choosing that interval carefully is important, but will be different depending on the community being served and the assets that need to be protected.
It’s certainly true that once a keylogger has been installed, it would be able to pick up any new passwords entered while it’s running. It’s not the best example, but the point was that in combination with a good anti-malware suite, that threat can be mitigated. (because the anti-malware software should detect and disable the keylogger and in many cases block it from being reintroduced) The traditional keylogger isn’t the only threat to your passwords. Your web browser is a very useful, but highly vulnerable platform that is capable of running untrusted code from any number of sources without your knowledge or express consent. (the recent Twitter XSS vulnerability is a good example)
Putting things in the cloud isn’t a silver bullet either. The cloud is a black box. You don’t control the security of what’s running in the cloud and you have no way of verifying that the company providing the cloud services is actually secure. Once your data is in the cloud, you just have to trust that it’s being properly protected.
Imaging tools are a great benefit and time-saver, but regular re-imaging as a solution to malware is equivalent to treating the symptoms while ignoring the underlying problem. If your system is compromised, re-imaging the system is just going to reset it to a still vulnerable, but uninfected state. Proper application of a good, working and up-to-date anti-malware suite and keeping your OS/application software up-to-date will block the known vulnerabilities before they can be exploited.
Still, the main point of all this was user authentication. My main point is that passwords alone may no longer be sufficient to protect anything of value. Standard length passwords are too easy to crack and strong passwords are often too difficult to remember. Changing them frequently mitigates some problems with compromised passwords, but also exacerbates the issue above.
Issue 1:
The insertion of a meaningful-to-the-user string into an already strong password does not weaken it, in fact you can find recommendations to do so by security folks as for example: http://www.microsoft.com/protect/fraud/passwords/create.aspx . If you don’t like that, then you could insert the year as digits into your password using the Fibonacci series as indices, for example. You could also normalize the year to 2000 etc. Patterns get a bad rap here as patterns are at the heart of building passwords the user can remember without writing it down, which is one of the most common loss-of-security failures of password systems–plain text. Thus, a pattern can be thought of as an algorithm or recipe that you can remember that generates your password. Even a random password generator is an algorithm seeded by a specific value. So, at the limit, you could select a random-password generator and seed it with 2010, 2011 etc as needed to recreate your password if you forgot it.
Just create the strong password, remember it, don’t lose it. and use virtual keyboard to prevent keylogger. It is safer eventhough very traditional.
One thing that confuses me when it comes to passwords that need to be secure are banks using pictures or site keys. I don’t see how that would help them with security.
Something that may help with security at your college is if you login from a different machine than normal it asks you a security question to make sure it’s you. I know my credit card company does that, it is annoying, but I imagine it cuts down on the trouble.
I am pretty paranoid bacause i ve been exposed to some keyloggers
and i know how easy it is for someone to get your passwords and steal valuable data.
I now use different passwords for each important task i need to do, and i generate the passwords based on an algorithm that i can remember, based on the website.
This produces unique strong passwords that can’t be easily exposed, and if i do get hacked, it will be only on one account.