[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Karyn Williams karyn at calarts.edu
Mon May 7 17:28:00 GMT 2007

At 08:50 AM 5/7/07 -0400, you wrote:
>Drat .. fat-fingered it.
>What I ment was ..
>(and this says nothing of the many times we've all been into somebody's 
>office and seen the password on a post-it attached to the monitor).
>2-factor auth you say? .. The same thing will happen with smartcards .. 
>we'll see them in the desk drawer, post-it attached.
>That said, forcing changes does at least reduce the window that a 
>potential attacker has to brute-force the hashed password .. but then 
>again, I'm sure most of you have tried L0phtcrack against a domain and 
>watched as like >80% are found in under a day.
>My $0.02

Considering that almost all cracks are being done remotely, Post-It notes
seem to be the least of our worries. At least they would require physical
access to the space, something the cracker in Russia is not likely to
bother with. 

As you said, its the human factor. We had a system here that required
routine password changes and failed to keep a history db. Not very clever
users quickly learned to change their passwd and then change it right back
to the old one. I watched that and laughed. 

My biggest concern is a weak password, but next is that they probably use
that same passwd on every web site they ever log in to, effectively giving
it away. 

We recently enabled a system to block the ssh brute force crack. Within 48
hours we had legit users blocked. I thought we had set up very generous
limits, 10 wrong attempts on a valid account before blocking, 2 wrong on a
non-existent account. Who'd have thunk that that many users don't even know
their login name ? It's a waste on systems open to users. 

Karyn Williams
Network Services Manager
California Institute of the Arts
karyn at calarts.edu

More information about the unisog mailing list