CSC 379 SUM2008:Week 3, Group 3: Difference between revisions
(→Links) |
|||
Line 53: | Line 53: | ||
==Links== | ==Links== | ||
http://www.owasp.org/index.php/Using_Secret_Questions |
Revision as of 15:11, 25 July 2008
Costs and Benefits Password Regulations
“Best practices” sometimes seem to take on a life of their own, independent of any recent assessment of their costs and benefits. An example is password policies; maximum length, restrictions on characters that can be used, and password-change frequency. Evaluate these popular password regulations. Do they provide adequate benefits for costs incurred? What ethical considerations do poorly evaluated “best practices” raise? Do policy-makers have an ethical responsibility to evaluate “best practices” before adopted? A responsibility to re-evaluate existing practices?
Cite specific evidence in your cost/benefit analysis from quality sources (professional/academic journals preferred).
- http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1013839
- http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1588836
- http://portal.acm.org/citation.cfm?id=322796.322806
- http://portal.acm.org/citation.cfm?id=581370
- http://portal.acm.org/citation.cfm?id=986664
"Best Practices" Research
Policies
Password Length
Character Restriction
Password Change Frequency
Policies for major corporations usually require that employees change their password after a certain period of time. Typically, this time frame may be from 90 days to 6 months. The requirement to change your password at certain time intervals limits the amount of time a hacker has to break your current password. In addition, if a hacker has retrieved your password, they only have a limited amount of time to access it before your password is changed. The later reason can be considered quite useless as it only takes a hacker minutes or, at the most, hours to retrieve the information they are looking for.
A major downside to the policy of requiring changing a password after a certain amount of time is the fact that most users will simply change it to the old address anyway, thus nullifying any benefit that could be gained from changing you password frequently. There are few studies on whether changing your password after a certain amount of time has actually increased security. Also, employees do not want to waste time changing their password frequently and must be reminded. This requires unnecessary resources devoted to a practice that the user probably won't follow anyhow.
There was no easily available evidence that any benefit has been gained from adopting this policy.
Password History Restriction
Some companies have begun to adopt what are called password history restrictions. With this policy, when a user is required to change their password after a certain amount of time; they are constricted from using a certain number of previous passwords. Typically, this may range from just one previous password, all the way to five. The goal of this policy is to prevent the use of the same password over and over that hackers have been trying to brute force hack. If a user is required to change their password over time intervals, there is no incentive for security improvements if the user just keeps putting down the same password.
A major downfall of this policy is that the more previous passwords the user can not use, the more inclined the user is to simply write that password down. Trying to remember what one to five passwords a user used for even just one account is overly tedious to the user and waste company resources for the user to keep track of making and remembering an updated password.
There are no easily available research to prove that there are any real security benefits from adopting this policy. In addition, there is also no research to prove how much users will write down passwords and to what password history restriction limit would drive them to write down passwords.
Password Retrieval
To help verify a user's identity in the case of a lost password, many Web applications use secret questions. By answering a pre-selected question, a user can demonstrate some personal knowledge of the account owner. A classic example is asking to provide a mother's maiden name.
Answering secret questions requires some knowledge of the user account, but secret questions break all the rules for strong passwords and have some significant weaknesses:
1. An attacker can sometimes discover the information with little research 2. The answer to the question is usually a fact that will never change 3. Users reuse the same secret questions and answers across multiple Web sites 4. Someone close to the individual could know the answers to many of the questions 5. People rarely change their secret questions 6. The answers are often case-insensitive and usually contain a limited character set 7. Some questions have a limited number of answers 8. With some questions, many people will have the same common answers
Secret questions usually ask for an obscure fact that hopefully only the account owner would know and supposedly would never forget. Many Web sites assume that the user providing the answer to the question is sufficient to identify the user. However, many secret questions ask for facts that anyone could discover with little research. To make things worse, if someone discovers this information, you cannot just change a fact from the past.