Remembering history passwords may be bad, but they are getting worse

Sean Donelan sean at donelan.com
Mon Jul 28 05:00:55 UTC 2003


On Sun, 27 Jul 2003, Stephen Sprunk wrote:
> There's a staggering number of web sites that won't allow me to use
> non-alphanumeric characters in my passwords at all.  I've even run into a
> few which also don't allow and/or preserve upper-case letters.   Those who
> fail to learn the lessons of history...

Its even worse, we're actually moving backwards.

Not only users, but even "security consultants" don't understanding the
history.  They have checklists.  The checklist says you must change the
password every 30 days pass/fail.

If you go to the library (or use Google) and look up the Green Book,
you'll find password lifetime was not a critical factor.  The Green Book
has the somewhat arbitrary recommendation for a 1 year password lifetime.
The original analysis was based on 300/1200 baud modems, but even that
isn't relevant *PROVIDED* you implement the other recommendations in
the Green Book.

Most bank 4-6 numeric PINs have indefinite lifetimes.  Most ISPs don't
require consumers to change network passwords.


The problem is fewer and fewer modern systems implement the other
recommendations.  So password lifetime has become the primary protection
factor.

How many systems notify the user
   - the date and time of user's last login
   - the location of the user at the last login
   - unsuccessfull login attempts since last successful login
How many web systems control the rate of login attempts
   - by source
   - by userid
How many web systems notify anyone or block the account after N
unsuccessful login attempts either temporarily or permanently

Systems like VAX/VMS had a relatively sophisticated intrusion detection
and evasion process built into the the operating system by the 1980's.

Note: if the user's PC has been compromised it doesn't matter how
frequently they change their password.  Even pseudo-random
one-time-password systems are vulnerable when the user's system
has been compromised (as some mobsters found out when the FBI
infiltrated their systems).





More information about the NANOG mailing list