periodic changing of passwords

Discussion in 'NZ Computing' started by Peter, Apr 29, 2007.

  1. Peter

    Peter Guest

    What is the strategy behind having to change your password every month or 2?
    This policy has been enforced at a couple of places I have worked at, but
    the IT folk can't explain why.

    From observation, this policy is counter productive in terms of real world
    security. Ordinary users often respond by choosing a sequence of easily
    remembered passwords (user111, user222, user333, etc) and / or writing them
    down on paper near the PC.
    It also seems to mean people are more likely to share passwords with
    workmates, 'cos they know the password will change in a couple of weeks so
    they are not giving away long term access.

    There doesn't seem to be any security benefit to this strategy. If a bad
    guy gets the password, they will use it straight away, not wait a month or
    2. They will likely escalate privileges and create their own account for
    further access, so changing the user password on them won't close the door.
    Monthly changes would provide very little protection against brute force
    password crackers, either. The bad guys have plenty of CPU cycles and
    there would be few user passwords that would hold out longer than that.

    So, is there a reason for this type of policy? Or is it just like airport
    security, it doesn't provide any real protection and is just there to
    comfort the masses into a false sense of security, by making them think
    those in charge are doing something.


    Peter
     
    Peter, Apr 29, 2007
    #1
    1. Advertising

  2. Peter

    Ken Guest

    On Sun, 29 Apr 2007 19:54:45 +1200, Peter <> wrote:

    >
    >What is the strategy behind having to change your password every month or 2?
    >This policy has been enforced at a couple of places I have worked at, but
    >the IT folk can't explain why.
    >
    >From observation, this policy is counter productive in terms of real world
    >security. Ordinary users often respond by choosing a sequence of easily
    >remembered passwords (user111, user222, user333, etc) and / or writing them
    >down on paper near the PC.
    >It also seems to mean people are more likely to share passwords with
    >workmates, 'cos they know the password will change in a couple of weeks so
    >they are not giving away long term access.
    >
    >There doesn't seem to be any security benefit to this strategy. If a bad
    >guy gets the password, they will use it straight away, not wait a month or
    >2. They will likely escalate privileges and create their own account for
    >further access, so changing the user password on them won't close the door.
    >Monthly changes would provide very little protection against brute force
    >password crackers, either. The bad guys have plenty of CPU cycles and
    >there would be few user passwords that would hold out longer than that.
    >
    >So, is there a reason for this type of policy? Or is it just like airport
    >security, it doesn't provide any real protection and is just there to
    >comfort the masses into a false sense of security, by making them think
    >those in charge are doing something.
    >
    >
    >Peter
    >
    >




    Databank had it and so did the Wellington ISP Citynet.


    A very normal practice..
     
    Ken , Apr 29, 2007
    #2
    1. Advertising

  3. Peter

    Peter Guest

    Ken wrote:
    > A very normal practice..


    I know it is normal.
    What I would like to know is why.
     
    Peter, Apr 29, 2007
    #3
  4. Peter

    Collector-NZ Guest

    A periodic forced changed. in password resolves the issue of compromised
    passwords which have not been discovered to be compromised.

    So if I steal, aquire or what ever other means your password the system is
    only compromised for the time to the next forced change of password.


    "Peter" <> wrote in message
    news:1177836089.857491@ftpsrv1...
    > Ken wrote:
    >> A very normal practice..

    >
    > I know it is normal.
    > What I would like to know is why.
    >
    >
    >
     
    Collector-NZ, Apr 29, 2007
    #4
  5. Peter

    Crash Guest

    Peter wrote:
    > What is the strategy behind having to change your password every month or 2?
    > This policy has been enforced at a couple of places I have worked at, but
    > the IT folk can't explain why.
    >
    >

    The theory, as I understand it, is that a particular password value is
    less vulnerable if it has a limited lifetime.
    > From observation, this policy is counter productive in terms of real world
    > security. Ordinary users often respond by choosing a sequence of easily
    > remembered passwords (user111, user222, user333, etc) and / or writing them
    > down on paper near the PC.
    >

    Correct. In some circumstances I have encountered this is overcome by
    not accepting new passwords that match a pattern in previous passwords.
    However the same approach can be taken with different password patterns.
    > It also seems to mean people are more likely to share passwords with
    > workmates, 'cos they know the password will change in a couple of weeks so
    > they are not giving away long term access.
    >
    >

    But it is still 'illegal'.
    > There doesn't seem to be any security benefit to this strategy. If a bad
    > guy gets the password, they will use it straight away, not wait a month or
    > 2.

    The sooner they use it the more likely they will be 'fingered' in doing
    so. You may remember who you gave your password away to yesterday or
    last week but you might not remember who you might have given it too
    last month.
    > They will likely escalate privileges and create their own account for
    > further access, so changing the user password on them won't close the door.
    >

    This will be the case only in the most insecure environments. It stands
    to reason that usercodes that can be used to create or amend security
    aspects of other usercodes will be very rare.
    > Monthly changes would provide very little protection against brute force
    > password crackers, either. The bad guys have plenty of CPU cycles and
    > there would be few user passwords that would hold out longer than that.
    >
    >

    This requires dictionary attacks - easily defended by simply disabling a
    usercode after n unsuccessful attempts. An inconvenience to the genuine
    user but better for

    [snip]

    Crash.
     
    Crash, Apr 29, 2007
    #5
  6. Peter

    Shane Guest

    Peter wrote:

    >
    > What is the strategy behind having to change your password every month or
    > 2? This policy has been enforced at a couple of places I have worked at,
    > but the IT folk can't explain why.
    >
    > From observation, this policy is counter productive in terms of real world
    > security. Ordinary users often respond by choosing a sequence of easily
    > remembered passwords (user111, user222, user333, etc) and / or writing
    > them down on paper near the PC.
    > It also seems to mean people are more likely to share passwords with
    > workmates, 'cos they know the password will change in a couple of weeks so
    > they are not giving away long term access.
    >
    > There doesn't seem to be any security benefit to this strategy. If a bad
    > guy gets the password, they will use it straight away, not wait a month or
    > 2. They will likely escalate privileges and create their own account for
    > further access, so changing the user password on them won't close the
    > door. Monthly changes would provide very little protection against brute
    > force
    > password crackers, either. The bad guys have plenty of CPU cycles and
    > there would be few user passwords that would hold out longer than that.
    >
    > So, is there a reason for this type of policy? Or is it just like airport
    > security, it doesn't provide any real protection and is just there to
    > comfort the masses into a false sense of security, by making them think
    > those in charge are doing something.
    >
    >
    > Peter


    Any password can be compromised, it just takes time. A brute force
    approach, for example, could try every combination of Unicode characters
    (that the system will accept. The only thing keeping that password secure
    then is, the amount of time it takes to reach that combination of
    characters. Changing the password means (in theory) the cracker has to
    start all over again each time, in case you have changed your password to a
    previously tried combination.
    A moving target is, afterall, harder to hit than a sitting duck.

    --
    Q: What is very old, used by farmers, and obeys the fundamental theorem of
    arithmetic?
    A: An antique tractorisation domain.
     
    Shane, Apr 29, 2007
    #6
  7. Peter

    Peter Guest

    Thanks - that helps explain some things.

    Crash wrote:
    >> There doesn't seem to be any security benefit to this strategy. If a bad
    >> guy gets the password, they will use it straight away, not wait a month
    >> or 2.

    > The sooner they use it the more likely they will be 'fingered' in doing
    > so. You may remember who you gave your password away to yesterday or
    > last week but you might not remember who you might have given it too
    > last month.


    Yes, regular changing of passwords would tend to disrupt this sort of attack
    by relatively unskilled in-house people.


    >> Monthly changes would provide very little protection against brute force
    >> password crackers, either. The bad guys have plenty of CPU cycles and
    >> there would be few user passwords that would hold out longer than that.

    > This requires dictionary attacks - easily defended by simply disabling a
    > usercode after n unsuccessful attempts. An inconvenience to the genuine
    > user but better for


    I was thinking of the approach where the bad guys download the password hash
    file and crack it off line, maybe using a botnet or cluster. Regular
    changing passwords doesn't seem to affect these guys, and would make it
    easier for them if it meant users adopted simpler passwords.
    I guess it is a matter of balancing up these different risk areas.


    thanks

    Peter
     
    Peter, Apr 29, 2007
    #7
  8. Peter

    peterwn Guest

    On Apr 29, 7:54 pm, Peter <> wrote:
    > What is the strategy behind having to change your password every month or 2?
    > This policy has been enforced at a couple of places I have worked at, but
    > the IT folk can't explain why.
    >


    For the same reason that banks have the combinations changed on their
    safes and vaults every six months or so.

    While those opening bank safes are (or should be careful) they are not
    being overlooked, lapses are more likely for office computers, and
    monthly changing of passwords would help to control any prospective
    damage.

    Even if this is a pain in the neck for employees, they need to
    recognise that computer security needs to be taken seriously and
    accept such policies with good grace and in particular choose a secure
    password, and take the effort to remember it.

    A possible way for employees to ease the burden is to use something
    easily remembered for (say) four characters of the password and random
    lower case, upper case, numerals and special symbols for the
    remainder, and write down the latter in a safe place. at password
    change time the employee can alternately change the former or latter
    substring.

    Apparently an old bank officer trick (I read in a factual USA
    originated book) is to keep an adding machine printout containing four
    'dollars and cents items' and its total. The safe combination would
    be (say) the second and third digit in each column, the other digits
    being merely random.
     
    peterwn, Apr 29, 2007
    #8
  9. Peter

    Cima Guest

    On Mon, 30 Apr 2007 07:44:19 +1200, Peter <> wrote:

    >> The sooner they use it the more likely they will be 'fingered' in doing
    >> so. You may remember who you gave your password away to yesterday or
    >> last week but you might not remember who you might have given it too
    >> last month.

    >
    >Yes, regular changing of passwords would tend to disrupt this sort of attack
    >by relatively unskilled in-house people.



    In-house is easy - pets name, kids name, etc ;-)
     
    Cima, Apr 29, 2007
    #9
  10. Peter

    Jerry Guest

    Peter wrote:
    > What is the strategy behind having to change your password every month or 2?
    > This policy has been enforced at a couple of places I have worked at, but
    > the IT folk can't explain why.
    >
    > From observation, this policy is counter productive in terms of real world
    > security. Ordinary users often respond by choosing a sequence of easily
    > remembered passwords (user111, user222, user333, etc) and / or writing them
    > down on paper near the PC.
    > It also seems to mean people are more likely to share passwords with
    > workmates, 'cos they know the password will change in a couple of weeks so
    > they are not giving away long term access.
    >
    > There doesn't seem to be any security benefit to this strategy. If a bad
    > guy gets the password, they will use it straight away, not wait a month or
    > 2. They will likely escalate privileges and create their own account for
    > further access, so changing the user password on them won't close the door.
    > Monthly changes would provide very little protection against brute force
    > password crackers, either. The bad guys have plenty of CPU cycles and
    > there would be few user passwords that would hold out longer than that.
    >
    > So, is there a reason for this type of policy? Or is it just like airport
    > security, it doesn't provide any real protection and is just there to
    > comfort the masses into a false sense of security, by making them think
    > those in charge are doing something.


    One place I worked issued a memo regarding passwords, one line saying
    that your password couldn't be trivial. The next time I got asked for a
    password I changed it to *trivial*, of course it worked fine
     
    Jerry, Apr 30, 2007
    #10
  11. Peter

    Peter Guest

    Jerry wrote:
    > One place I worked issued a memo regarding passwords, one line saying
    > that your password couldn't be trivial. The next time I got asked for a
    > password I changed it to *trivial*, of course it worked fine


    LOL - brilliant !
     
    Peter, Apr 30, 2007
    #11
  12. Peter

    Ross Guest

    On Mon, 30 Apr 2007 20:50:38 +1200, Peter <>
    wrote:

    >Jerry wrote:
    >> One place I worked issued a memo regarding passwords, one line saying
    >> that your password couldn't be trivial. The next time I got asked for a
    >> password I changed it to *trivial*, of course it worked fine

    >
    >LOL - brilliant !


    It is better to use a mnemonic than a plain word variation.
    e.g. Remember this phrase. "No Idiots going to crack this particular
    password."
    Then translate it into this password. "0ig2cTPP"

    (I haven't changed my online banking password for over 6 years).
    But then my computer has good protection. Well, as long as no one is
    still targeting Windows 98 with rootkits!
     
    Ross, Apr 30, 2007
    #12
  13. Peter

    Stuart Guest

    "peterwn" <> wrote in message
    news:...
    > Even if this is a pain in the neck for employees, they need to
    > recognise that computer security needs to be taken seriously and
    > accept such policies with good grace and in particular choose a secure
    > password, and take the effort to remember it.

    This is how we helped everybody at work:
    http://www.flickr.com/photos/slieschke/226873460/

    Stuart
     
    Stuart, Apr 30, 2007
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. steve2470
    Replies:
    2
    Views:
    522
    steve2470
    Aug 2, 2005
  2. Yehavi Bourvine
    Replies:
    1
    Views:
    1,111
  3. ZX4

    Periodic disconnects

    ZX4, Jan 25, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    494
    __spc__
    Jan 28, 2006
  4. Charlie Russel - MVP

    Periodic SPAM in NG

    Charlie Russel - MVP, Aug 8, 2006, in forum: Windows 64bit
    Replies:
    2
    Views:
    321
    Charlie Russel - MVP
    Aug 9, 2006
  5. philbo30
    Replies:
    0
    Views:
    469
    philbo30
    Dec 20, 2007
Loading...

Share This Page