Password Aging

David Ferrier ncc!myrias!dbf at pyramid.com
Thu Jan 19 01:54:42 AEST 1989 

>Password aging minimizes the amount of time that your password is open
>to attack.  You may have a well-chosen password, but the longer it is
>used, the more likely it is that someone has [obtained it]...

This sounds good, but no matter how they try to justify or explain it,
password aging is one of those things that system administrators
do that look really good to system administrators, auditors, 
and security consultants, but in practice does not give enough 
benefit to justify the tremendous inconvenience and loss of time 
caused to users and the organization.

Security measures are put in place to prevent losses.
If the cost over time of a security measure exceeds the 
probability of loss over time times the value of the assets,
use of the security measure is bad management. 
Password aging is an example of a security measure, 
which, except for the CIA or other exceptional organizations, 
usually costs more to implement than the value of the assets protected.

What does password aging buy you? 
--------------------------------

- it helps reduce risk by preventing access to
the system and data by unauthorized users. 

Examination of past security incidents invariably shows 
that almost all damage done to systems or data was done
by authorized users with passwords, not by the spooks that
password aging is supposed to defend against.

What are the risks of access by unauthorized users?
------------------------------------------------

- theft of machine cycles, unauthorized access to data, 
unauthorized modification or destruction of data.

In most systems, the wastage of machine cycles by authorized
users who are inexperienced or inefficient, or read dozens of USENET articles
every day, far exceeds the possible cost of system use arising out of
unauthorized access.

As for data: signon passwords are only the first line of defense.  

Depending on the system, a user often has limited access to 
data. Unless unprotected data are not backed up, contain vital
trade secrets, or there is no audit trail log generated of 
modifications to critical data, access by an unauthorized user is 
be much of a problem--not enough, anyway, to justify the
cost of password aging.

What is the objective improvement to security given by
password aging?
--------------

- who knows? How can you measure the likelyhood of a password
being compromised when it is not changed regularly? A similar
study might be done on people with wall safes who do not change 
the combination on a regular basis. 

What is the cost of password aging?
----------------------------------

- administrative: staffing a responsive corporate security
department who can give out new passwords to users who tend to forget theirs
when they have to change them regularly

- user: need to build into project schedules enough slack to
allow for loss of productivity due to being unable to access
the system because a password has expired

- organizational: replacing people who get fed up with
the security run-around and leave

Anything constructive to say about password aging? 
--------------------------------------------------

The following concepts came from working with a password aging system used by
a Toronto computer utility that prevented reuse of
any password for 20 cycles. Worse, it even prohibited 
use of near matches--"moon" and "fool" for
example. Users had to keep a list of old passwords, because
as a final diabolical twist, the system only gave you five
tries to assign a valid new password when the old one expired,
at which point use of your id was suspended.

- If you must have password aging, keep it within reasonable bounds.
As with any other corporate program, force the people proposing it
to do a cost justification, and make a business case if 
they can for forcing people all over the company do regular password changes.

- Make sure it is an option that you can
control on an individual or departmental basis,
so that only people with high risk data or extensive access
rights are put to the inconvenience of changing passwords
frequently, or at all. This control should extend to the number 
of generations of old passwords that are kept on file to ensure 
the new password does not replicate a previous password.
-- 
David Ferrier                            Edmonton, Alberta
alberta!myrias!dbf                       (403) 428 1616

[Moderator note: It looks like the upshot of this discussion is that aging
 isn't really much help...   _H*]

More information about the Comp.unix.wizards mailing list