[Lynn R Grant: Password Aging]
Michael J. Chinni, SMCAR-CCS-E
mchinni at ardec.arpa
Thu Dec 29 00:00:16 AEST 1988
F Y I
----- Forwarded message # 1:
Received: from [192.12.8.6] by ARDEC-CC1.ARDEC.ARPA id aa10257;
27 Dec 88 19:02 EST
Received: from [128.6.4.15] by IMD.PICA.ARMY.MIL id aa16810; 27 Dec 88 19:03 EST
Sender: security%pyrite.rutgers.edu at PICA.ARMY.MIL
Date: Wed, 14 Dec 88 15:40 EST
From: Lynn R Grant <Grant at DOCKMASTER.ARPA>
Subject: Password Aging
To: Security at RUTGERS.EDU
Message-ID: <8812271903.aa16810 at IMD.PICA.ARMY.MIL>
Re: Bernie Cosell's question about the usefulness of password aging:
Password aging minimizes the amount of time that your password is open
to attack. You may have a well-chosen password, but the longer it is
used, the more likely it is that someone has looked over your shoulder
and seen you enter it, or a line-tapper has read it off your
communication line, or, if you are the type that writes your good
password on a piece of paper, someone has discovered it.
The DoD Password management guideline has another good use of this,
though I have never seen it implemented the way they describe. Most
systems I have seen will suspend your userid after you enter some number
of incorrect passwords. You must then get a security administrator to
reset it. This leaves you open to an easy denial-of-service attack.
And if someone does it to all your security administrators, the whole
shop is in trouble.
To counter this, the DoD guideline suggests making the logon process get
slower after the first few bad passwords are entered for a particular
userid. That limits how many passwords can be tried in a given length
of time, without leaving you open to the denial-of-service attack. If
you calculate how many trys it will take on the average to guess your
password, you can set up your password so it expires before then, making
a brute force attack much harder.
Lynn Grant
----- End of forwarded messages
More information about the Comp.unix.wizards
mailing list