Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > periodic changing of passwords

Reply
Thread Tools

periodic changing of passwords

 
 
Peter
Guest
Posts: n/a
 
      04-29-2007

What is the strategy behind having to change your password every month or 2?
This policy has been enforced at a couple of places I have worked at, but
the IT folk can't explain why.

From observation, this policy is counter productive in terms of real world
security. Ordinary users often respond by choosing a sequence of easily
remembered passwords (user111, user222, user333, etc) and / or writing them
down on paper near the PC.
It also seems to mean people are more likely to share passwords with
workmates, 'cos they know the password will change in a couple of weeks so
they are not giving away long term access.

There doesn't seem to be any security benefit to this strategy. If a bad
guy gets the password, they will use it straight away, not wait a month or
2. They will likely escalate privileges and create their own account for
further access, so changing the user password on them won't close the door.
Monthly changes would provide very little protection against brute force
password crackers, either. The bad guys have plenty of CPU cycles and
there would be few user passwords that would hold out longer than that.

So, is there a reason for this type of policy? Or is it just like airport
security, it doesn't provide any real protection and is just there to
comfort the masses into a false sense of security, by making them think
those in charge are doing something.


Peter



 
Reply With Quote
 
 
 
 
Ken Yates@yahooken.com
Guest
Posts: n/a
 
      04-29-2007
On Sun, 29 Apr 2007 19:54:45 +1200, Peter <(E-Mail Removed)> wrote:

>
>What is the strategy behind having to change your password every month or 2?
>This policy has been enforced at a couple of places I have worked at, but
>the IT folk can't explain why.
>
>From observation, this policy is counter productive in terms of real world
>security. Ordinary users often respond by choosing a sequence of easily
>remembered passwords (user111, user222, user333, etc) and / or writing them
>down on paper near the PC.
>It also seems to mean people are more likely to share passwords with
>workmates, 'cos they know the password will change in a couple of weeks so
>they are not giving away long term access.
>
>There doesn't seem to be any security benefit to this strategy. If a bad
>guy gets the password, they will use it straight away, not wait a month or
>2. They will likely escalate privileges and create their own account for
>further access, so changing the user password on them won't close the door.
>Monthly changes would provide very little protection against brute force
>password crackers, either. The bad guys have plenty of CPU cycles and
>there would be few user passwords that would hold out longer than that.
>
>So, is there a reason for this type of policy? Or is it just like airport
>security, it doesn't provide any real protection and is just there to
>comfort the masses into a false sense of security, by making them think
>those in charge are doing something.
>
>
>Peter
>
>




Databank had it and so did the Wellington ISP Citynet.


A very normal practice..



 
Reply With Quote
 
 
 
 
Peter
Guest
Posts: n/a
 
      04-29-2007
Ken http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> A very normal practice..


I know it is normal.
What I would like to know is why.



 
Reply With Quote
 
Collector-NZ
Guest
Posts: n/a
 
      04-29-2007
A periodic forced changed. in password resolves the issue of compromised
passwords which have not been discovered to be compromised.

So if I steal, aquire or what ever other means your password the system is
only compromised for the time to the next forced change of password.


"Peter" <(E-Mail Removed)> wrote in message
news:1177836089.857491@ftpsrv1...
> Ken (E-Mail Removed) wrote:
>> A very normal practice..

>
> I know it is normal.
> What I would like to know is why.
>
>
>



 
Reply With Quote
 
Crash
Guest
Posts: n/a
 
      04-29-2007
Peter wrote:
> What is the strategy behind having to change your password every month or 2?
> This policy has been enforced at a couple of places I have worked at, but
> the IT folk can't explain why.
>
>

The theory, as I understand it, is that a particular password value is
less vulnerable if it has a limited lifetime.
> From observation, this policy is counter productive in terms of real world
> security. Ordinary users often respond by choosing a sequence of easily
> remembered passwords (user111, user222, user333, etc) and / or writing them
> down on paper near the PC.
>

Correct. In some circumstances I have encountered this is overcome by
not accepting new passwords that match a pattern in previous passwords.
However the same approach can be taken with different password patterns.
> It also seems to mean people are more likely to share passwords with
> workmates, 'cos they know the password will change in a couple of weeks so
> they are not giving away long term access.
>
>

But it is still 'illegal'.
> There doesn't seem to be any security benefit to this strategy. If a bad
> guy gets the password, they will use it straight away, not wait a month or
> 2.

The sooner they use it the more likely they will be 'fingered' in doing
so. You may remember who you gave your password away to yesterday or
last week but you might not remember who you might have given it too
last month.
> They will likely escalate privileges and create their own account for
> further access, so changing the user password on them won't close the door.
>

This will be the case only in the most insecure environments. It stands
to reason that usercodes that can be used to create or amend security
aspects of other usercodes will be very rare.
> Monthly changes would provide very little protection against brute force
> password crackers, either. The bad guys have plenty of CPU cycles and
> there would be few user passwords that would hold out longer than that.
>
>

This requires dictionary attacks - easily defended by simply disabling a
usercode after n unsuccessful attempts. An inconvenience to the genuine
user but better for

[snip]

Crash.
 
Reply With Quote
 
Shane
Guest
Posts: n/a
 
      04-29-2007
Peter wrote:

>
> What is the strategy behind having to change your password every month or
> 2? This policy has been enforced at a couple of places I have worked at,
> but the IT folk can't explain why.
>
> From observation, this policy is counter productive in terms of real world
> security. Ordinary users often respond by choosing a sequence of easily
> remembered passwords (user111, user222, user333, etc) and / or writing
> them down on paper near the PC.
> It also seems to mean people are more likely to share passwords with
> workmates, 'cos they know the password will change in a couple of weeks so
> they are not giving away long term access.
>
> There doesn't seem to be any security benefit to this strategy. If a bad
> guy gets the password, they will use it straight away, not wait a month or
> 2. They will likely escalate privileges and create their own account for
> further access, so changing the user password on them won't close the
> door. Monthly changes would provide very little protection against brute
> force
> password crackers, either. The bad guys have plenty of CPU cycles and
> there would be few user passwords that would hold out longer than that.
>
> So, is there a reason for this type of policy? Or is it just like airport
> security, it doesn't provide any real protection and is just there to
> comfort the masses into a false sense of security, by making them think
> those in charge are doing something.
>
>
> Peter


Any password can be compromised, it just takes time. A brute force
approach, for example, could try every combination of Unicode characters
(that the system will accept. The only thing keeping that password secure
then is, the amount of time it takes to reach that combination of
characters. Changing the password means (in theory) the cracker has to
start all over again each time, in case you have changed your password to a
previously tried combination.
A moving target is, afterall, harder to hit than a sitting duck.

--
Q: What is very old, used by farmers, and obeys the fundamental theorem of
arithmetic?
A: An antique tractorisation domain.

 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      04-29-2007

Thanks - that helps explain some things.

Crash wrote:
>> There doesn't seem to be any security benefit to this strategy. If a bad
>> guy gets the password, they will use it straight away, not wait a month
>> or 2.

> The sooner they use it the more likely they will be 'fingered' in doing
> so. You may remember who you gave your password away to yesterday or
> last week but you might not remember who you might have given it too
> last month.


Yes, regular changing of passwords would tend to disrupt this sort of attack
by relatively unskilled in-house people.


>> Monthly changes would provide very little protection against brute force
>> password crackers, either. The bad guys have plenty of CPU cycles and
>> there would be few user passwords that would hold out longer than that.

> This requires dictionary attacks - easily defended by simply disabling a
> usercode after n unsuccessful attempts. An inconvenience to the genuine
> user but better for


I was thinking of the approach where the bad guys download the password hash
file and crack it off line, maybe using a botnet or cluster. Regular
changing passwords doesn't seem to affect these guys, and would make it
easier for them if it meant users adopted simpler passwords.
I guess it is a matter of balancing up these different risk areas.


thanks

Peter


 
Reply With Quote
 
peterwn
Guest
Posts: n/a
 
      04-29-2007
On Apr 29, 7:54 pm, Peter <(E-Mail Removed)> wrote:
> What is the strategy behind having to change your password every month or 2?
> This policy has been enforced at a couple of places I have worked at, but
> the IT folk can't explain why.
>


For the same reason that banks have the combinations changed on their
safes and vaults every six months or so.

While those opening bank safes are (or should be careful) they are not
being overlooked, lapses are more likely for office computers, and
monthly changing of passwords would help to control any prospective
damage.

Even if this is a pain in the neck for employees, they need to
recognise that computer security needs to be taken seriously and
accept such policies with good grace and in particular choose a secure
password, and take the effort to remember it.

A possible way for employees to ease the burden is to use something
easily remembered for (say) four characters of the password and random
lower case, upper case, numerals and special symbols for the
remainder, and write down the latter in a safe place. at password
change time the employee can alternately change the former or latter
substring.

Apparently an old bank officer trick (I read in a factual USA
originated book) is to keep an adding machine printout containing four
'dollars and cents items' and its total. The safe combination would
be (say) the second and third digit in each column, the other digits
being merely random.



 
Reply With Quote
 
Cima
Guest
Posts: n/a
 
      04-29-2007
On Mon, 30 Apr 2007 07:44:19 +1200, Peter <(E-Mail Removed)> wrote:

>> The sooner they use it the more likely they will be 'fingered' in doing
>> so. You may remember who you gave your password away to yesterday or
>> last week but you might not remember who you might have given it too
>> last month.

>
>Yes, regular changing of passwords would tend to disrupt this sort of attack
>by relatively unskilled in-house people.



In-house is easy - pets name, kids name, etc


 
Reply With Quote
 
Jerry
Guest
Posts: n/a
 
      04-30-2007
Peter wrote:
> What is the strategy behind having to change your password every month or 2?
> This policy has been enforced at a couple of places I have worked at, but
> the IT folk can't explain why.
>
> From observation, this policy is counter productive in terms of real world
> security. Ordinary users often respond by choosing a sequence of easily
> remembered passwords (user111, user222, user333, etc) and / or writing them
> down on paper near the PC.
> It also seems to mean people are more likely to share passwords with
> workmates, 'cos they know the password will change in a couple of weeks so
> they are not giving away long term access.
>
> There doesn't seem to be any security benefit to this strategy. If a bad
> guy gets the password, they will use it straight away, not wait a month or
> 2. They will likely escalate privileges and create their own account for
> further access, so changing the user password on them won't close the door.
> Monthly changes would provide very little protection against brute force
> password crackers, either. The bad guys have plenty of CPU cycles and
> there would be few user passwords that would hold out longer than that.
>
> So, is there a reason for this type of policy? Or is it just like airport
> security, it doesn't provide any real protection and is just there to
> comfort the masses into a false sense of security, by making them think
> those in charge are doing something.


One place I worked issued a memo regarding passwords, one line saying
that your password couldn't be trivial. The next time I got asked for a
password I changed it to *trivial*, of course it worked fine
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
To generate a periodic time-gate vizziee@gmail.com VHDL 2 05-22-2009 12:18 AM
Periodic disconnects ZX4 Wireless Networking 1 01-28-2006 03:24 PM
Periodic breaks in connection between router and PCMCIA card steve2470 Wireless Networking 2 08-02-2005 01:10 AM
aaa accounting update periodic stopped working on 12.3.13 Yehavi Bourvine Cisco 1 03-13-2005 04:06 PM
Newbie ?: Force a periodic postback?? Comcast ASP .Net 1 08-07-2003 07:13 AM



Advertisments