[unisog] Anyone have a citation for an academic research

H. Morrow Long morrow.long at yale.edu
Mon May 7 10:32:52 GMT 2007

I wanted to thank everyone who responded
with ideas, discussion, websites and pointers
to studies and papers.  It has all been useful.

Thank you to Dr. Krawetz, Clark Gaylord,
Jim Ennis, John Bambenek, Gary Dobbis, John
Kristoff and Saqib Ali.

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

On May 6, 2007, at 10:28 AM, Dr. Neal Krawetz wrote:

> On Sat May  5 11:31:49 2007, H. Morrow Long wrote:
>> Anyone have a citation for an academic research study on whether
>> mandatory password expiration and changes increase security?
> Here's a few:
> http://www.google.com/patents?id=eEkaAAAAEBAJ&printsec=abstract
> A patent from 1997 on changing teh password periodically.
> (Don't laugh.  Yes: NEC Corporation was awarded a patent on periodic
> password changes even though Unix supported this more than a decade
> earlier as prior art.)
> [Hayday2003] Hayday, Graham, Counting the cost of forgotten passwords.
> ZDNet News, January 14, 2003. Available online at
> http://news.zdnet.co.uk/business/employment/0,39020648,2128691,00.htm
> http://www.giac.org/certified_professionals/practicals/gsec/3642.php
> SANS GIAC recomments regular password changes (item #6).
> Safe Teleradiology: Information Assurance as Project Planning  
> Methodology
> Collmann et al. J Am Med Inform Assoc.2005; 12: 84-89
> They mention requiring regular password changes.
> It's interesting that you are looking for formal research on this:
>   - I could not find any peer-reviewed studies on this topic.
>     This does not mean it does not exist.  It only means that I
>     couldn't find it in 5 minutes.
>   - While there are plenty of people who say that it is (or is not)
>     more secure, nobody seems to cite any metrics.
> Logically speaking, it *may* be more secure depending on the  
> frequency.
> Let's choose a simple case: you can choose a password that is a number
> between 0 and 9 (10 choices).
>   - If you constantly change the password, then I have a 1 in 10  
> chance of
>     guessing it.
>   - If you never change it, then eventually I will find the password.
> The dependent criteria are (1) the size of the search space and (2)  
> the
> speed of the search.
> Now, let's look at today's technology.
> I usually see John the Ripper crack 50% of passwords in the first  
> hour.
> The last 10% usually take weeks or longer (only found by brute force).
> If you have a strong password that takes an average of 1 month to  
> crack
> then changing it weekly should not significantly change the  
> effectiveness
> of the password.  However, changing it every 3 months is less  
> effective
> since it gives the attacker ample time to identify the password.  And
> changing it every 6 months is less secure than every 3 months.
> If you change your password, then there are three possibilities:
>  (1) You moved it into the "already searched" range for the attacker.
>      Thus, the attacker is unlikely to look there twice.
>  (2) You moved it further away in the search space, so it will take
>      longer for an attacker to find.
>  (3) You moved it closer to the attacker's position in the search  
> space.
>      Thus, it will be found more quickly.
> Since you (1) don't know when the attacker started, (2) don't know  
> where
> the attacker currently is, and (3) don't know how fast the attacker is
> searching, the average case would seem to be: changing from a strong
> password to a strong password will not increase security.
> However, there are many other factors involved:
>   - Most systems have multiple login accounts.  If any password is
>     compromised, then the entire system is compromised.  The system is
>     as secure as the weakest password.  (In general, a local user  
> account
>     has much more access than a remote user, and local exploits are  
> easier
>     and more common than remote exploits.)
>   - All of this assumes that the attacker has the password file.
>     Without the password file, a remote-network brute-force attack  
> will
>     still take forever and be noticed in log files.
>     The common mitigation step to alert and block after a specific  
> number
>     of consecutive failures will lower the success rate to  
> virtually zero.
>     (However, you should actually compute the metric if you're writing
>     an academic paper.)
>     By the way: this is a great DoS against remote users.
> And let us not forget ATM PIN codes.  These are usually 4-7 digits.
> They are small, and the search space is trivial to scan in seconds.
> However, PINs are effective because a few consecutive failures will  
> block
> access.  The odds of successfully guessing a 4-digit PIN in 3 tries is
> very small:  1/10000 + 1/9999 + 1/9998 = 1 in 3000.0003.  You have
> a better chance of winning $7 in the Powerball Lottery:
>   http://www.coloradolottery.com/games/powerball/payouts.cfm? 
> location=9
>> all of the reports and surveys are from industry rather than  
>> academia.
> That's what I'm seeing, too.
> And nearly all reports use case studies instead of computed metrics.
> 					-Neal
> --
> Neal Krawetz, Ph.D.
> Hacker Factor Solutions
> http://www.hackerfactor.com/
> Author of "Introduction to Network Security" (Charles River Media,  
> 2006)
> and "Hacking Ubuntu" (Wiley, 2007)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070507/b406512b/attachment.htm 

More information about the unisog mailing list