Thursday, April 27, 2006

The Myth of the Password Change

Eugene Spafford has a recent blog post on how security "best practices" are often just myths that have been passed on over the years, and have no current basis as a true best practice. The example he gives is the required monthly password change, which is a holdover from the non-networked mainframe days of old, and does nothing to truly increase password security in today's world. He recommends one-time passwords or two-factor authentication (tokens):

In summary, forcing periodic password changes given today's resources is unlikely to significantly reduce the overall threat - unless the password is immediately changed after each use. This is precisely the nature of one-time passwords or tokens, and these are clearly the better method to use for authentication, although they do introduce additional cost and, in some cases, increase the chance of certain forms of lost password.

I mentioned previously how dangerous simple password authentication was in the context of securing SSH servers. Spafford's article goes into much more detail than I did on the risks of using passwords (I only addressed one of his seven failure modes - cracking), it's definitely worth reading if you are an admin.

Technorati Tags: , ,

No comments: