April 24, 2006
Periodic Password Changes a Waste of Time
Our favorite quotable Computer Science prof, Eugene Spafford, has come out with a controversial article about the (un)importance of regular password changes.
He analyzes the threats and finds the mitigation is minimal. Even better he examines the sources of this “best practice”…
So where did the “change passwords once a month” dictum come from? … As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years.
This is one I have to agree with Spaf on. Since regular changes make a password harder to remember, it actually decreases security by:
-
Discouraging long, complex passwords.
-
Encouraging people to write their passwords down.
I would rather have 1 more character required in a password than require it to be regularly changed.
Then my question: assuming you have a high critical system that requires a password, how would you protect it?
April 25th, 2006 at 5:30 amThere’s many ways you should protect a password:
April 25th, 2006 at 8:31 am1) Require them to be complex (letters, numbers, special characters)
2) Require them to be long
3) Make sure they are transmitted with strong encryption
4) Make sure they are stored with strong encryption or hashing
5) Edudate users to not share passwords
6) If at all possible, implement 2 factor authentication
[...] Professor Spafford expounds on his previous article we talked about to say that we should examine all best practices to see which ones make since for a given application. My favorite example of this: [...]
May 11th, 2006 at 11:24 am