[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?

Ali, Saqib docbook.xml at gmail.com
Mon May 7 03:37:59 GMT 2007


Gary,

May I ask why you are looking for such a study? Is it to make a case
in favor for periodic password changes?

Static passwords just don't work anymore. Whether you change them on a
weekly basis or not. The era of providing security using static
passwords has ended.

You should look into One time password tokens. They used to be
expensive (>$65) but not anymore. Entrust has the OTP tokens for $5.
See:
http://www.entrust.com/strong-authentication/identityguard/tokens/index.htm

saqib
http://www.full-disk-encryption.net
P.S. I am in no way associated with entrust.


On 5/6/07, Gary Dobbins <dobbins at nd.edu> wrote:
>
>
>
>
> Consider that most studies and lore tend to focus on the relative strengths
> of the passwords themselves (i.e. how long it would take to crack one).
> But, if we consider the threats you're actually trying to counteract, such
> as users' tendency to share passwords with others, or use them on third
> party sites, then the math becomes less important.
>
>
>
> You probably aren't trying to counteract someone getting a copy of your KDC
> database, or pounding a brute-force against a login prompt for weeks on end,
> because there are easier ways to deal with those and you've probably already
> fortified them.
>
>
>
> It's probably the case that you're just trying to counteract users' human
> nature, which calls for mechanisms which help maintain the secrecy of their
> passwords over time.  Periodic changes may be annoying, but if you also help
> them with mnemonic ideas, you'll be helping users keep their passwords a
> personal secret ongoing – your true objective I'm supposing.
>
>
>
>
>
>
>
>
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of H.
> Morrow Long
>  Sent: Saturday, May 05, 2007 1:32 PM
>  To: security at educause.edu
>  Cc: UNIversity Security Operations Group
>  Subject: [unisog] Anyone have a citation for an academic research study on
> whether mandatory password changes increase security?
>
>
>
> Anyone have a citation for an academic research study on whether mandatory
> password expiration and changes increase security?
>
>
>
>
>
> Any stats or numbers quantifying how much and in what ways requiring
> password changing increases security?
>
>
>
>
>
> I know all of the rationale (and I believe in it ) behind it but we need #s
> (and a paper from a peer-reviewed journal):
>
>
>           1.         It automatically disables old unused accounts (which
> should have been disabled already).
>
>
>           2.         It limits the amount of time accounts may be
> compromised
>
>
>           3.         Combined with increased quality checks it improves
> password strength.
>
>
>           4.         If users are using the same password for their
> University account as on outside web accounts this can
>
>
>                       force a split/break since they probably won't go sync
> their passwords on all of their websites.
>
>
>
>
>
> I've looked around and found a number of arguments (pro and con) on
> requiring password changing.
>
>
> some of the most interesting at entertaining are on "Spaf"s" blog where he
> makes a case against  it :
>
>
>
>
>
>
> http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/
>
>
>
>
>
>
>
>
> I also found an entire site dedicated to articles and studies/surveys on
> passwords (www.passwordresearch.com/)
>
>
> as well as a report on passwords at
> http://www.csoonline.com/csoresearch/report64.html but
>
>
> all of the reports and surveys are from industry rather than academia.
>
>
>
>
>
> - H. Morrow Long, CISSP, CISM, CEH
>
>
>   University Information Security Officer
>
>
>   Director -- Information Security Office
>
>
>   Yale University, ITS
>
>
>
>
>
>
>
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
>


-- 
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net



More information about the unisog mailing list