The Myth of the Password Change
Apr 27th, 2006 by Doug
Eugene Spafford has
a recent
blog post on how security “best practices” are often just myths
that have been passed on over the years, and have no current basis as
a true best practice. The example he gives is the required monthly
password change, which is a holdover from the non-networked mainframe
days of old, and does nothing to truly increase password security in
today’s world. He recommends one-time passwords or two-factor
authentication (tokens):
I mentioned previously how dangerous simple password authentication was in the context of securing SSH servers. Spafford’s article goes into much more detail than I did on the risks of using passwords (I only addressed one of his seven failure modes - cracking), it’s definitely worth reading if you are an admin.
Technorati Tags: Security, Passwords, Best-practices
In summary, forcing periodic password changes given today’s resources is unlikely to significantly reduce the overall threat - unless the password is immediately changed after each use. This is precisely the nature of one-time passwords or tokens, and these are clearly the better method to use for authentication, although they do introduce additional cost and, in some cases, increase the chance of certain forms of lost password.
I mentioned previously how dangerous simple password authentication was in the context of securing SSH servers. Spafford’s article goes into much more detail than I did on the risks of using passwords (I only addressed one of his seven failure modes - cracking), it’s definitely worth reading if you are an admin.
Technorati Tags: Security, Passwords, Best-practices
![[FSF Associate Member]](http://www.unixlore.net/images/fsf_button.png "[FSF Associate Member]"){kind=small}
![[SDF Public Access Unix System]](http://www.unixlore.net/images/sdf.jpg "[SDF Public Access Unix System]")