[unisog] Password policies

Jim Dillon Jim.Dillon at cusys.edu
Thu Apr 20 16:59:15 GMT 2006

We've taken this thread a bit off-course - the request was what are
people doing, and I'd like to see a couple more of those examples just
for comparison.  Someone added a "no unencrypted" passwords (e.g.
telnet, ftp) and that is true in our environment as well at one of our
campuses, although it isn't yet into system wide policy.  It is a good
policy.  My original offering is what ours is, I was not defending or
suggesting it, just demonstrating a well published policy.

Regarding the argument about changing passwords that has followed and
veered us a tiny bit off-track, a couple of thoughts:

1. Bruce Schneier has come down on the side of letting the users write
down their passwords, for a number of reasons.  He has comments in his
Cryptogram newsletter that might be of interest to some.  I actually
disagree with him on the concept, but I think his arguments are
reasonable from some viewpoints.  It comes down to where you think a
control becomes ineffective.

2. Having password timeouts accomplishes a couple of things still today,
although I agree that the environment in which the control was hatched
was vastly different than today's.  

A) It has a communication of policy value - it reinforces the need to be
thoughtful in selecting secrets and protecting them, and it identifies
to the uneducated that given time, their secrets can and likely will be
known by someone else - you aren't as anonymous as you'd like.  End
users need to understand some of these things.  

B) Part of who we are protecting from is ourselves - those of us who
leave a job, move on, change roles, etc.  The FBI has gone to great
lengths to demonstrate that insider attacks are quite prevalent, and not
everyone who holds the administrator job function is to be trusted - a
large number of retribution attacks occurred last year using old
credentials to attack the employer's systems.  By setting up a password
change standard, you will likely reduce the opportunities for such
employee/ex-employee attacks on systems.  As an auditor I can't tell you
how many times I've found that the users of a system have passwords that
change but the admins don't - thus enabling this kind of retribution
inspired attack.  Many times it's just sloppiness in removing accounts
in a timely manner, many others it's due to shared passwords (that don't
change every 3 months or whatever) and others its due to accessibility
to the SAM and other files necessary to facilitate a later attack over
something like not getting a promotion or whatever.

3. I have about 15 Palm Pilot pages of passphrases and passwords
encrypted on my Palm Pilot.  The file does not Sync, so I have to
manually back it up on occasion.  The passwords written inside are coded
using my own mnemonic devices for builidng a meaningful password so that
I am likely to guess what the password is, and also hiding the true
password from someone peeking over my shoulder.  I still get occasional
account lock outs and drops from not maintaining this list, and from not
remembering the exceptions to my normal rules.  I am dead without the
Palm for many things.  My passwords tend to follow the typical "best
practice" suggestions of 3 hardening factors and 8 characters or more,
etc.  What a hassle.  I can't even copy the file in less than 4 cut and
paste operations because it is too big to do so. Add to that the
numerous software keys required to activate copy protected software, and
I have HUNDREDS of "written down" security devices.  Not what we all
strive for is it, but I don't see any good alternatives?

As I said in the last thread entry, the password is just about dead as a
security tool.  Until we combine something we have (localizing the risk)
or something we are (minimizing the ability of anyone to duplicate/copy
and localizing) to the password (something we know, and maybe a few
others do to, so what...) we won't have a solution to this problem.
Given the prevalence of spyware, rootkits, trojans, and other remote
access/control/monitoring tools, we need to settle on a solution or two
in the near future, I restate my belief that the control value of the
password alone is falling at a geometric rate, so we cannot trust it for
much for long. 


Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Joseph Brennan
Sent: Wednesday, April 19, 2006 11:12 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Password policies

Requiring frequent changes only pushes people to writing the passwords
on sticky notes stuck to their monitors.  Is there any data to support
the idea that changing every 3 months is better than changing every
3 decades?  If a stolen password hasn't been used in a few days, will
it ever be used?


Jim Dillon <Jim.Dillon at cusys.edu> wrote:

> On the brighter side, the effectiveness of passwords in the face of
> spyware, rainbow tables, rootkits, keyboard loggers and the like is
> pitiful, and with only a slight growth in the percentage of infections
> these sorts, the password as a stand-alone security construct will be
> dead.

Sad but true.

Joseph Brennan
Columbia University Information Technology

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list