Pay less, get more. We provide high-quality academi papers at a reasonable price.
Twitter This is an updated version of a contribution I made to the Educause security mailing list last week. Some of these get included in policies, and thus may get propagated to environments they were not meant to address.
It is also the case that as technology changes, the underlying and unstated assumptions underlying these bits of conventional wisdom also change.
The result is a stale policy that may no longer be effective…or possibly even dangerous. Policies requiring regular password changes e.
From a high-level perspective, let me observe that one problem with any widespread change policy is that it fails to take into account the various threats and other defenses that may be in place.
Policies should always be based on a sound understanding of risks, vulnerabilities, and defenses. Consider the underlying role of passwords: Good authentication is intended to support access control, accountability and in some cases accounting.
Passwords provide a cost-effective and user-familiar form of authentication. However, they have a number of failure modes depending on where they are used and the threats arrayed against them.
Failure modes include disclosure, inference, exposure, loss, guessing, cracking, and snooping. Disclosure is a systemic threat on the platforms involved, as well as in the operational methods used to generate and transmit the passwords.
This cannot be addressed through changing the password. Instead, the methods used to generate and distribute passwords needs to be examined to ensure that the passwords are not disclosed to the wrong parties. Unfortunately, some 3rd-party applications including web-based systems fail to adequately guard the passwords as they are entered, stored, or compared, resulting in potential disclosure.
Another form of disclosure is when the holder of the password discloses the password on purpose. This is an education and enforcement issue. For instance, knowing that someone uses the same password with a different last character for each machine allows passwords to be inferred, especially if coupled with disclosure of one.
Another example is where generated passwords are employed and the generation algorithm is predictable. Exposure is the case where accident or unintended behavior results in a sporadic release of a password.
As an example, think of someone accidentally typing her password as the user name in login, and it is captured in the audit trail. Another example is when someone accidentally types his password during a demonstration and it is exposed on a projection screen to a class.
It is also the case that frequent loss opens up opportunities for eavesdropping and social engineering attacks on the reset system as it becomes more frequently used: Guessing is limited to choices that can be guessed.
After a certain limited number of choices, the guessing can only transform into a cracking attempt. Cracking is when an intermediate form of the password e.
The efficacy of this approach is determined by the strength of the obfuscation used e. Snooping eavesdropping is when someone intercepts a communication employing the password, either in cleartext or in some intermediate form.
The password is then extracted.
Network sniffing and keyloggers are both forms of snooping. Various technical measures, such as network encryption, can help reduce the threat.
Now, looking back over those, periodic password changing really only reduces the threats posed by guessing, and by weak cracking attempts. If any of the other attack methods succeed, the password needs to be changed immediately to be protected—a periodic change is likely to be too late to effectively protect the target system.
Furthermore, the other attacks are not really blunted by periodic password changes. Guessing can be countered by enforcing good password selection, but this then increases the likelihood of loss by users forgetting the passwords.
The only remaining threat is that periodic changes can negate cracking attempts, on average. However, that assumes that the passwords choices are appropriately random, the algorithms used to obfuscate them e.Jan 01, · The guide to password security (and why you should care) Find out how your password security can be compromised, and how to .
Feb 02, · In Internet Explorer, select the Tools button, and then select Internet options. On the Content tab, under AutoComplete, select Settings, and then select Delete AutoComplete history. In the Delete Browsing History dialog box, select Form data and Passwords.
Nov 19, · The Secret Life of Passwords. We despise them – yet we imbue them with our hopes and dreams, our dearest memories, our deepest meanings.
They unlock much more than our accounts. Dec 24, · Gunter Ollman, a researcher for security firm Damballa, concludes that recording your passwords on paper is the lesser of several password evils; more risky is . ashio-midori.com is an excellent online writing resource! Become a member, and experience these benefits: Read other students' work to get ideas about how to .
Whether you are an undergraduate or a graduate student, ashio-midori.com can take your writing from slow and mediocre to fast, strong, and effective. Enter your essay .