Security myths and passwords
I like this a lot.
https://www.cerias.purdue.edu/weblogs/spaf/general/post-30/
In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective…or possibly even dangerous.
Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.
From a high-level perspective, let me observe that one problem with any widespread change policy is that it fails to take into account the various threats and other defenses that may be in place. Policies should always be based on a sound understanding of risks, vulnerabilities, and defenses. “Best practice” is intended as a default policy for those who don’t have the necessary data or training to do a reasonable risk assessment.
Comments
- Anonymous
January 01, 2003
This was already written up earlier today on another TechNet blog but I wanted to make note anyway in... - Anonymous
January 01, 2003
Steve Riley has some good comments (okay, he simply says "I like this a lot") on Eugene Spafford's blog... - Anonymous
April 30, 2006
I have always felt that by requiring regular password changes, site administrators do very little to improve the security of the site. They simply ensure that users pick a succession of equally insecure passwords (xxx1, xxx2, xxx3, etc).
Password frequency is never a substitute for good operational security and user training. It doesn't take much to teach a user the difference between a bad password and a good password, and it's equally simple to convince a user why they should go to the trouble of picking a good one.
If a good password's good to start with, it doesn't suddenly become bad 30 days later. It's secure as long as the user keeps it that way.
Of course, should good cheap two-factor finally make itself available, this problem would be mitigated immensely.