[unisog] Anyone have a citation for an academic research

Jim Ennis jim at mail.ucf.edu
Sun May 6 17:29:07 GMT 2007


There was a good article in a recent Usenix journal, about the potential effectiveness of difficult passwords over forced changes.  I will see if I can find the reference in my office.
 
Jim Ennis
Associate Director, Computer Services
voice: 407 823-1701
fax: 407 882-9017
jim at mail.ucf.edu 

>>> "Dr. Neal Krawetz" <hf at hackerfactor.com> 5/6/2007 10:28 AM >>>
On Sat May  5 11:31:49 2007, H. Morrow Long wrote:
> 
> Anyone have a citation for an academic research study on whether  
> mandatory password expiration and changes increase security?

Here's a few:

http://www.google.com/patents?id=eEkaAAAAEBAJ&printsec=abstract 
A patent from 1997 on changing teh password periodically.
(Don't laugh.  Yes: NEC Corporation was awarded a patent on periodic
password changes even though Unix supported this more than a decade
earlier as prior art.)

[Hayday2003] Hayday, Graham, Counting the cost of forgotten passwords.
ZDNet News, January 14, 2003. Available online at
http://news.zdnet.co.uk/business/employment/0,39020648,2128691,00.htm 

http://www.giac.org/certified_professionals/practicals/gsec/3642.php 
SANS GIAC recomments regular password changes (item #6).

http://171.66.121.52/cgi/content/abstract/12/1/84 
Safe Teleradiology: Information Assurance as Project Planning Methodology
Collmann et al. J Am Med Inform Assoc.2005; 12: 84-89
They mention requiring regular password changes.


It's interesting that you are looking for formal research on this:
  - I could not find any peer-reviewed studies on this topic.
    This does not mean it does not exist.  It only means that I
    couldn't find it in 5 minutes.

  - While there are plenty of people who say that it is (or is not)
    more secure, nobody seems to cite any metrics.

Logically speaking, it *may* be more secure depending on the frequency.
Let's choose a simple case: you can choose a password that is a number
between 0 and 9 (10 choices).
  - If you constantly change the password, then I have a 1 in 10 chance of
    guessing it.
  - If you never change it, then eventually I will find the password.
The dependent criteria are (1) the size of the search space and (2) the
speed of the search.

Now, let's look at today's technology.
I usually see John the Ripper crack 50% of passwords in the first hour.
The last 10% usually take weeks or longer (only found by brute force).
If you have a strong password that takes an average of 1 month to crack
then changing it weekly should not significantly change the effectiveness
of the password.  However, changing it every 3 months is less effective
since it gives the attacker ample time to identify the password.  And
changing it every 6 months is less secure than every 3 months.

If you change your password, then there are three possibilities:
(1) You moved it into the "already searched" range for the attacker.
     Thus, the attacker is unlikely to look there twice.
(2) You moved it further away in the search space, so it will take
     longer for an attacker to find.
(3) You moved it closer to the attacker's position in the search space.
     Thus, it will be found more quickly.
Since you (1) don't know when the attacker started, (2) don't know where
the attacker currently is, and (3) don't know how fast the attacker is
searching, the average case would seem to be: changing from a strong
password to a strong password will not increase security.

However, there are many other factors involved:
  - Most systems have multiple login accounts.  If any password is
    compromised, then the entire system is compromised.  The system is
    as secure as the weakest password.  (In general, a local user account
    has much more access than a remote user, and local exploits are easier
    and more common than remote exploits.)

  - All of this assumes that the attacker has the password file.
    Without the password file, a remote-network brute-force attack will
    still take forever and be noticed in log files.
    The common mitigation step to alert and block after a specific number
    of consecutive failures will lower the success rate to virtually zero.
    (However, you should actually compute the metric if you're writing
    an academic paper.)
    By the way: this is a great DoS against remote users.

And let us not forget ATM PIN codes.  These are usually 4-7 digits.
They are small, and the search space is trivial to scan in seconds.
However, PINs are effective because a few consecutive failures will block
access.  The odds of successfully guessing a 4-digit PIN in 3 tries is
very small:  1/10000 + 1/9999 + 1/9998 = 1 in 3000.0003.  You have
a better chance of winning $7 in the Powerball Lottery:
  http://www.coloradolottery.com/games/powerball/payouts.cfm?location=9 


> all of the reports and surveys are from industry rather than academia.

That's what I'm seeing, too.
And nearly all reports use case studies instead of computed metrics.

-Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/ 
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)
_______________________________________________
unisog mailing list
unisog at lists.dshield.org 
https://lists.sans.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070506/522b15f6/attachment-0001.htm 


More information about the unisog mailing list