On Fri, 27 Mar 1998, Bill Mahan wrote:
> Date: Fri, 27 Mar 1998 13:07:26 -0500
> From: Bill Mahan <wmahan @
> To: Firewalls @
> Subject: Ammunition, please
> My IT Director went to a security briefing recently and came back with the
> notion that forcing users to change their passwords periodically is a waste
> of time. The guru he heard said that LAN systems should never require a
> change in user passwords, for the following reasons:
> 1. It annoys users.
Oh, now there's a security view we should all bank on. Be sure to point
out that *no* passwords would make users even happier, and see how well
the rationale holds up.
> 2. If a user's password is compromised without their or my knowledge but
> the user is still months away from the next forced password change,
> changing it regularly is worthless anyway.
Whereas if it is *never* changed and it is compromised without their
knowledge, the vulnerability is how much less? Oops, seems whoever was
preaching this isn't doing too well in the logic department. Never
changing them means that a user is vulnerable to compromise for as long
as they exist. If your firewall is fine, and two years down the road a
new exploit compromises it, wham, still vulnerable to the password having
been compromised two years ago. For what it's worth, the user should not
be *months* away from a scheduled password change, that's not a good
password interval. Some time between 30 and 60 days tends to be about
the limit that you can expect most of them to be able to deal with.
> 3. Forcing regular password changes means that users may now have at least
> two passwords, one for the LAN and one for other systems, including some on
> Internet sites. Users will then be tempted to change passwords on outside
> systems to match their current LAN password, in effect announcing their
> password and possibly their user ID as well to the world at large.
> (Remember, these are his statements, not mine!)
This is unfortunately true. Policy, *continuous* user education and
regular password change are the tools to battle this. If the user still
goes against all that, and you can't force one-time passwords, remember that
_most_ Web sites *don't* allow password changes. That means that 30 days
(or whatever your change interval is) later, that user's password is no
longer vulnerable to attack. If it *isn't* changed, once again your
systems are vulnerable for up to as long as the user is in the system.
Not having them change passwords won't stop them from using their
passwords outside. Changing passwords will reduce that vulnerability.
> 4. Forcing periodic password changes encourages users to write down their
> passwords and tape it to their PCs, thus defeating the purpose of passwords.
This too can be true. Once again, continuous education and policy are
your ally. However, it's easy to point out that a remote attacker won't
have access to a deskcam to look at those post-it notes, especially one
who got the passwords from a "friend" who broke into a Web server and got
the .htaccess file six months ago in exchange for some zero day wares.
Also, a regular audit for yellow stickies with passwords is fairly
trivial to do.
> Of course, never changing passwords is not our current policy, and if it
> ever becomes our policy, I'm outta here. I've never heard anyone say that
> passwords should NEVER be changed. My question to you is twofold: Is there
> a school of thought out there that actually espouses this? If so, how do I
> respond to it?
Logic would seem to be your ally in this case. Feel free to respond back
directly if you need to reload.
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."