Re: Password change *recommended* -- RESULTS?

["Joel L. Rosenblatt" <joel () COLUMBIA EDU>]

Hi,

I agree with this - I have analyzed brute force attacks and the
average attack tries hundreds of ID's, but only 10-15 passwords per ID
(think top 10 passwords)

Spending a lot of time making really complicated passwords is
misdirected effort in my opinion - it would be better spent on
figuring out how to implement two factor authentication

Make sure that your passwords are none of the top 100 or dictionary
words and then try and figure out how to prevent your users from
answering phishing emails

My 2 cents
Joel


Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


On Thu, Apr 17, 2014 at 9:17 AM, Robert Meyers <REMeyers () mail wvu edu> wrote:
> I'd like to take this in a slightly different direction.
>
> With all the conversation about the need for complex passwords, how many can
> honestly report that their institution has suffered a significant data
> incident because of a hack or brute force attack on user passwords? How many
> breaches have been reported in the edu community because a user password was
> too weak?  I'm not disputing anything with these questions, just honestly
> seeking evidence that demands a clear verdict.  What I do see daily are
> users WILLINGLY surrendering their login credentials to phishing scams, so
> password complexity doesn't enter into the conversation.
>
>
>
> I do spend the majority of my time with students teaching methods of
> creating complex passwords as a means of elevating their overall cyber
> security awareness.
>
>
>
> Bob Meyers
> WVU Information Security
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Walker
> Sent: Wednesday, April 16, 2014 4:44 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?
>
>
>
> Brady,
>
> Very real issues you've listed about multi-factor authentication.  I'll
> mention that the MFA Cohortium
> (https://wiki.cohortium.internet2.edu/confluence/display/mfacohortium/Home),
> a group of 40-50 universities, is doing a work in the areas you've
> mentioned.  Take a look; there are a number of white papers available.
> You're also welcome to participate; information for how to do that is
> available from the wiki page linked above.
>
> A couple of other links you may find of interest:
>
> ·        The FIDO Alliance (https://fidoalliance.org/), an industry group
> that has recently released specifications for a standard authentication API
> for second factor and passwordless tokens.
>
> ·        The Multi-Context Broker (https://spaces.internet2.edu/x/BozFAg),
> an extension to Shibboleth that facilitates the integration of MFA and
> assurance into a SAML IdP.
>
>
> Things are getting better, but they still have a ways to go.
>
> David
>
> On 04/16/2014 12:18 PM, McClenon, Brady wrote:
>
> Thanks, Joe.  I agree that MFA is the way to go, but with many colleges
> depending on vendor supplied software MFA becomes more difficult.  Does the
> service support MFA, and if so which solution?  SSO would make this easier,
> but SSO has the same set of issues.  Some support CAS, some support SAML,
> some ADFS, etc...  It seems that until SSO and MFA standards are achieved
> some are overwhelmed with the need to support 2-3-4 solutions to the same
> problem.
>
>
>
> I follow some of your reasons outlined for password changes, and again,
> thanks.  I will point out that the statements "Periodic Password Changes
> Limit The Window for Brute Force Attacks" and "If you do change your
> password, the attacker will need to restart their cracking effort because
> cracking your old password typically won't help the attacker deduce your new
> password" aren't entirely true.  The attacker would only need to restart if
> your new password was one he/she already tried prior to the change.  The
> window may not change at all, and the probability that the change helped
> protect the password can be anywhere between 0-100% depending on where the
> attacker was in his list when the password was changed.   So while there is
> some value against brute force the value seems somewhat undeterminable.
>
>
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: Joe St Sauver [mailto:joe () oregon uoregon edu]
>
> Sent: Wednesday, April 16, 2014 10:39 AM
>
> To: McClenon, Brady
>
> Cc: security () listserv educause edu
>
> Subject: Re: Password change *recommended* -- RESULTS?
>
>
>
> Good morning!
>
>
>
> Brady asked:
>
>
>
> #Except in the case of an incident were passwords may have be leaked or
> #otherwise compromised, in which case it seems it would be a required
> #change and just not recommended, I'm curious to the thoughts of those #here
> on why you would enforce periodic password changes on users.
>
>
>
> I outlined a few reasons in an NWACC talk on passwords that you can find at
> http://pages.uoregon.edu/joe/passwords/passwords.pdf (section 4 talks about
> the password change issue)
>
>
>
> That said, the fundamental problem is that at this stage of the game, plain
> old passwords just aren't good enough anymore -- yet we still don't see
> ubiquitous deployment of multifactor on most campuses. Why?
>
>
>
> I attempted to discuss some of the reasons that people may have
>
> *historically* had, and why they may no longer be applicable, in a talk I
> did last week in Denver at the Internet2 Global Summit; see
> http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf
>
>
>
> If you all are not doing multifactor, did I catch the reason(s) why in thos
> slides? If I missed a fundamental reason, I'd love to hear about/understand
> it better.
>
>
>
> Do we all just secretly love passwords for some sort of weird cultural
> reasons? :-;
>
>
>
> Regards,
>
>
>
> Joe