Wednesday, April 26

Security and Password Myths

Kaliya Hamlin pointed to an article about password security and what its author (Prof. Eugene Spafford) calls security myths. It's an interesting article, but I don't agree with the main point, which is that mandatory password changes do not increase security. He calls these policies folk wisdom and claims that best practices are "intended as a default policy for those who don’t have the necessary data or training to do a reasonable risk assessment". Well, I don't agree with that statement or Prof. Spafford's conclusion.

Best practices as I use the term describe an ideal state without knowledge of a given environment. Every environment has exceptions and special needs. Therefore, it's not always possible to implement best practices. But, they should serve as an ideal to work toward. Default policies, on the other hand, are often what's easiest to implement -- just ask any company that sells hardware for wireless home networking products. These products are usually shipped with default settings that make it easy to setup. Best practices, however, require that the installer configure encryption keys that prevent people in close proximity from accessing the network.

Let's move to the password change policies. While there are certainly (as Prof. Spafford writes) a number of password failure modes, these policies are in effect to minimize the effectiveness of one of those failure modes - cracking. We may only differ in our definitions of weak cracking. This article by Geodsoft discusses password cracking techniques. The takeaway is that with a strong password policy, a brute-force cracking attempt will take over two months at 6 characters and two years at 8 characters. It's certainly possible to improve that timeframe with heavy hardware infrfastructure, but I think the policy will serve it's purpose of reducing the threat. And that's ultimately the goal. We all know that nothing in IT is 100% secure, but we should probably implement as many practical policies and solutions as possible to reduce the potential threat.

No comments: