Insightful article on password policies
In a post on the Security Catalyst forums (register for full access), I found a link to a post by Prof. Eugene Spafford of Purdue's Center for Education and Research in Information Assurance and Security on the CERIAS Weblog. The title of the post is Security Myths and Passwords, and it contains some very insightful observations.
The point that Prof. Spafford is trying to make is that a policy should address all relevant risks that are associated with a particular method or resource, and not some of them.
The threats that Prof. Spafford identifies against passwords are: Disclosure, Inference, Loss, Guessing and Snooping. A typical password policy does not go much further than stating that passwords should not be disclosed or re-used, have a maximum lifetime and possible some complexity requirements. Such a policy addresses some of the vulnerabilities, but very rarely, in a form that is sufficient enough.
"Policies should always be based on a sound understanding of risks, vulnerabilities, and defenses. "Best practice" is intended as a default policy for those who don't have the necessary data or training to do a reasonable risk assessment."
The point that Prof. Spafford is trying to make is that a policy should address all relevant risks that are associated with a particular method or resource, and not some of them.
The threats that Prof. Spafford identifies against passwords are: Disclosure, Inference, Loss, Guessing and Snooping. A typical password policy does not go much further than stating that passwords should not be disclosed or re-used, have a maximum lifetime and possible some complexity requirements. Such a policy addresses some of the vulnerabilities, but very rarely, in a form that is sufficient enough.
"In summary, forcing periodic password changes given today's resources is unlikely to significantly reduce the overall threat -- unless the password is immediately changed after each use. This is precisely the nature of one-time passwords or tokens, and these are clearly the better method to use for authentication, although they do introduce additional cost and, in some cases, increase the chance of certain forms of lost 'password'."