Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: password aging

Re: password aging

Stephen P. Gibbons (steveaztech.net)
Tue, 01 Sep 1998 01:27:02 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Joseph S. D. Yao: "Re: password aging"
Previous message: Ian Wade: "Archive for this list?"

Paul McNabb wrote:

> > From: "Stephen P. Gibbons" <steveaztech.net>
> >
> > Respectfully, I don't think you've read a word that I've written.
>
> Respectfully, I read everything several times before writing a response.
>
> The bottom line of all of this is the following:
>
> It is absolutely, positively guaranteed that any serious attacker over
> the age of 12 will be able to determine whether the password is failing
> the complex checks (yes, I'm VERY familiar with ALL you have mentioned)
> or if he has stumbled across someone's old or current password.

I disagree. The system that I was proposing would only expose
previouslyused passwords. It would _not_ expose passwords in current use.
The only
way to check a username/password combination in the system that I am
talking about is to speak its protocol, and make a login request. All
logins are
logged (success or failure) and audited, and the account is locked after N
attemts without success.

Password changes are logged and audited to the same degree. Accounts
are currently "locked out" after N unsucessful attempts to change the
password. (False, but true enough for a public statement)

Granted, the previous policy will need to be rethought.

> Any argument to the contrary is an appeal to the entirely discredited
> "security through obscurity" arguments that are occasionally raised
> by novices in the security field.

I would hope that I am arguing "security through reasoned thought",not
"security through obscurity". You may disagree with me, whithout
understanding the system that I have in mind, but please don't imply
that I am a novice.

Someone raised the topic of password history checking. I posted
my (admittedly) disorganized thoughts on the topic, from the point of
view of the system that I am currently supporting via changes to code.

I really do appreciate the comments, but I think that we've been
talking about apples vs. oranges. I won't go into too many details,
but (for example) I've been supposing about 10^6 or 10^7 users.

> And yes, most users have patterns to their password selections, and
> knowing one or more can reduce the password namespace dramatically.
> For example, do you often add digits to the end of your passwords?
> the beginning? punctuation at the end? swap syllables? use initial
> or final upper case letters? People DO use patterns when selecting
> passwords. And if you want to try to limit that, you might as well
> use a password generation program and enforce a large and random
> password namespace. It seems it would be better to spend your time
> making a password generator that made easy-to-remember-yet-complex
> passwords.
>
> All of your fancy checking for "weak" passwords are wonderful! They
> are meaningful! They are good! They should be used!
>
> However, they should be used ONLY for checking passwords against a
> dictionary or the user's own password history, never against other
> users' passwords!

This is what we do today.

> ANY MECHANISM THAT YOU PROVIDE THAT REVEALS INFORMATION ABOUT ANOTHER
> USER'S PASSWORD CHOICES IS A SECURITY HOLE!!
>
> System wide password histories can never, never, under any circumstances
> provide any level of additional security!! The one exception is if your
> users are telling each other their passwords and using that information
> when changing their own passwords -- a situation that is so bad that no
> system-wide password history mechanism could hope to provide much help.
>
> The instant you install a system-wide password history mechanism, your
> system is less secure than it was.
>
> Stephen may not be able to accept this, but I hope that other security
> folks on this list avoid system-wide password histories like they would
> three day old roadkill.

I probably haven't "defended" myself well enough (above) WRT
thisdiscussion, but I will fall back on my statement that "one has to look
at the system as a whole before drawing conclusions"

I asked for feedback, and I thank you for yours, Paul. I think that I
probably under-estimated the amount of information that I needed to
supply, in order to get useful feedback, and for that I apologize.

On the flip-side: Maybe we should just agree to disagree.

firewall-wizards is probably sick of hearing the banter, at this point.

-- Steve

> --------------------------------------------------------- > Paul McNabb Argus Systems Group, Inc. > Vice President and CTO 1809 Woodfield Drive > mcnabbargus-systems.com Savoy, IL 61874 USA > TEL 217-355-6308 > FAX 217-355-1433 "Securing the Future" > ---------------------------------------------------------

Next message: Joseph S. D. Yao: "Re: password aging"
Previous message: Ian Wade: "Archive for this list?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:46 CDT