begin quoting John H. Robinson, IV as of Thu, Nov 29, 2007 at 11:01:41AM -0800: > Michael O'Keefe wrote: > > > > I've never understood password aging. > > If your system is so fragile that it cannot withstand users keeping > > their passwords indefinitely, I'd be looking at the systems fragility, > > not password rotation. > > It is not about system fragility, it has to do with people re-using > passwords. Most people will pick one, maybe two, passwords and use them > everywhere. For their work systems, for their home systems, for gmail, > for web forum, e-bay, amazon, *everything*.
Yup. A lot of those passwords don't /need/ to be secure, too. Or even need to be a password -- why so I need a good password to read online NYT articles? Why should that be different from the BBC online news? If the user is not invested in keeping the system secure, they're not going to choose good passwords (so we'll MAKE them, dammit), they're going to reuse passwords (so we'll MAKE them change 'em, dammit), and they're going to write them down on post-its. (Speaking of which... my password for my work email expired while I was away. AND I was away long enough that I forgot the PIN for my smartcard that I need to use to reset the password. The first thing I was asked was "Surely you wrote that down somewhere?"*) So now we go from "something you know" to "something you have". The thing you "know" goes from the password to "where did I put that post-it note?" Is this an improvement? [*] Of course, after I got the PIN reset, I failed to ensure numlock was on, and locked the smartcard. Again. > It takes one slip up for that password to become exposed. It has nothing > to do with the securty of the system, but the fragility of the users. > Your only defense is to ensure that an exposed password has only a > limited window of opportunity. This is done by making users reset their > passwords every so often. Expiring passwords is about protecting the system if/when the encrypted passwords are exposed -- such as the shadow file being stolen. However, computers have gotten powerful enough so that this mechanism isn't very useful anymore. The use-one-password-everywhere problem is exacerbated by password expirations. Users need a lot of passwords, because they require access to several unrelated systems -- that's the given. That's a lot to memorize (but is, in theory, doable). However, when the passwords expire, the number of passwords they have to memorize and rememorize goes waaay up. So they economize -- they reuse passwords. The tighter the window and the less reuse of old passwords allowed, the more they reuse passwords across systems. Trying to limit exposure by forcing new passwords servers to _widen_ the exposure (across systems, rather than across time). Not the desired outcome, I'd thing. After all, most people seem to understand that if they accidently reveal their password (via email, or IRC, or somesuch) they'll need to change it everywhere that it was used. -- And then there are those people who email tech support their account & password. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
