[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Stephen John Smoogen smooge at unm.edu
Mon May 7 18:02:50 GMT 2007

Karyn Williams wrote:
> At 08:50 AM 5/7/07 -0400, you wrote:
>> Drat .. fat-fingered it.
>> What I ment was ..
>> c0mplexpa$$w0rd1
>> c0mplexpa$$w0rd2
>> c0mplexpa$$w0rd3
>> (and this says nothing of the many times we've all been into somebody's 
>> office and seen the password on a post-it attached to the monitor).
>> 2-factor auth you say? .. The same thing will happen with smartcards .. 
>> we'll see them in the desk drawer, post-it attached.
>> That said, forcing changes does at least reduce the window that a 
>> potential attacker has to brute-force the hashed password .. but then 
>> again, I'm sure most of you have tried L0phtcrack against a domain and 
>> watched as like >80% are found in under a day.
>> My $0.02
> Considering that almost all cracks are being done remotely, Post-It notes
> seem to be the least of our worries. At least they would require physical
> access to the space, something the cracker in Russia is not likely to
> bother with. 
> As you said, its the human factor. We had a system here that required
> routine password changes and failed to keep a history db. Not very clever
> users quickly learned to change their passwd and then change it right back
> to the old one. I watched that and laughed. 
> My biggest concern is a weak password, but next is that they probably use
> that same passwd on every web site they ever log in to, effectively giving
> it away. 
> We recently enabled a system to block the ssh brute force crack. Within 48
> hours we had legit users blocked. I thought we had set up very generous
> limits, 10 wrong attempts on a valid account before blocking, 2 wrong on a
> non-existent account. Who'd have thunk that that many users don't even know
> their login name ? It's a waste on systems open to users. 

Well it has to do with your audience. If the people are not computer
centric, we found that getting them 'preconfigured' clients helped. Have
the person come in and get their box set up and cleaned regularly (sort
of the 3 month maintenance cycle on a car). This has worked well with
people from the less computer active departments.

There are multiple 2 factor tools that can be used... going from
Cryptocards, USB fobs, to pregenerated Oppie lists. It all depends on
the other parts of the infrastructure, and getting community buyin.

Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-7343  Email: smooge at unm.edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"

More information about the unisog mailing list