[cryptography] Password non-similarity?

Kevin W. Wall kevin.w.wall at gmail.com
Sat Dec 31 21:52:47 EST 2011

On Sat, Dec 31, 2011 at 9:02 PM, Bernie Cosell <bernie at fantasyfarm.com> wrote:
> On 1 Jan 2012 at 11:02, Peter Gutmann wrote:
>> Bernie Cosell <bernie at fantasyfarm.com> writes:
>> >On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
>> >> Yes, ideally people would have a separate, strong password, changed
>> >> regularly for every site.
>> >
>> >This is the very question I was asking: *WHY* "changed regularly?  What
>> >threat/vulnerability is addressed by regularly changing your password?  I
>> >know that that's the standard party line [has been for decades and is
>> >even written into Virginia's laws!], but AFAICT it doesn't do much of
>> >anything other than encourage users to be *LESS* secure with their
>> >passwords.
>> This requires an answer that's waaay too long to post here, I've made an
>> attempt (with lots of references to historical docs) in the chapter
>> "Passwords" in http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf (it's
>> easier to post the link than to post large extracts here, since the discussion
>> is fairly in-depth).
> Actually, it isn't too large an extract to, basically, make my point:
>    Another tenet of best-practice password management is to expire
>    passwords at regular intervals and sometimes to enforce some sort of
>    timeout on logged-in sessions [64].  Requiring password changes is
>    one of those things that many systems do but no-one has any idea
>    why.  Purdue professor Gene Spafford thinks this may have its
>    origins in work done with a standalone US Department of Defence
>    (DoD) mainframe system for which the administrators calculated that
>    their mainframe could brute-force a password in x days and so a
>    period slightly less than this was set as the password- change
>    interval [65].  Like the ubiquitous "Kilroy was here" there are
>    various other explanations floating around for the origins of this
>    requirement, but in truth no-one really knows for sure where it came
>    from.  In fact the conclusion of the sole documented statistical
>    modelling of password change, carried out in late 2006, is that
>    changing passwords doesn´t really matter ...

Well, I can think of one real risk, but IMHO, it is minimal and
hardly constitutes the hassle that we enforce upon millions of
users.  I have seen this from personal observation as a syad as well
as have done this accidentally myself several times. What you
ask? Well, on more than a few occasions, I've observed cases
where users have accidentally entered their password into the
"username" field (either alone, or with the username preprended).
Of course, the login attempt fails and, more to the point, the
invalid "user name" is logged. The users almost immediately
realize their mistakes, and then login correctly. Unfortunately,
most users don't realize that their password has just been logged
as an invalid user name and their logged subsequent successful login
makes it rather trivial to associate that password with the actual
username of the user. And because they don't realize this, they
don't immediately change their password. (I confess that I have
even been guilty of this at times, but generally for sites that
probably shouldn't be requiring passwords in the first place.)
Anyhow, requiring a user change their password every 30/60/90/N
days mitigates this risk to some degree. Apparently, the idea
is that hopefully by the time an adversary discovers this from
the captured log files in question, the user will already have been forced
to change their password.  I think that's the theory at least.
I think the risk is low, especially if you train people to change
their passwords when them make this sort of screw up. (It
wouldn't be too hard to conceive of an authN system that could
even automate this, although it would have to retain some
state information for login attempts that failed b/c of an
"invalid user".) I suspect a similar argument could be made for
somone scribbling a username / password on a scrap of
paper and then tossing it in the trash where it might be
discovered by some dumpster diver.

Of course, IMO, this risk is hardly justification for requiring
that users periodically be forced to change their passwords.

To get to the real reason, I suspect you'd have to chat with
the corporate attorneys. I think the rationale in their mind
goes something like this and involves a misconception:

    "Best security practice is to regularly change your
    password. So if we force users to do that, we've
    done due diligence, and should a security breach be
    discovered, at least we can't be sued for treble the
    damages because we've done due diligence by following
    industry best practice."

Or whatever. The misconception is of course, that this
truly is "best practice". Pretty sure that it's some CYA
policy along this line that is driving this. And IT has learned
it's just easy to implement whatever legal requests than to
argue the rationality of the decision with their legal department.
(Besides, it's more work for IT, and thus job security to
some degree.)  In the end, I think things like this are way
more commonplace than perhaps any of us would like to
believe. I've read several of the security policies at a few
different companies and pretty much all of them look like
they've been written up by some policy wonk who never
even considered what threat model they were trying to
defend against.  Welcome to the real world. Sigh.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list