Paper: The Security of Password Expiration

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link)

This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker’s continued access. We develop a framework by which an attacker can search for a user’s new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration.

This is the sort of work that we at the New School love. Take a best practice recommended by just about everyone for what seems like excellent reasons, and take notice of the fact that human beings are going to game your practice. Then get some actual data, and see how effective the practice is.

Unfortunately, we lack data on rates of compromise for organizations with different password change policies. So it’s hard to tell if password policies actually do any good, or which ones do good. However, we can guess that not making your default password “stratfor” is a good idea.

ACM gets a link because they allow you to post copies of your own papers, rather than inhibiting the progress of science by locking it all up.

Steve Bellovin's "Lessons from Suppressing Research"

Steve Bellovin has a good deal of very useful analysis and context about “an experiment that showed that the avian flu strain A(H5N1) could be changed to permit direct ferret-to-ferret spread. While the problem the government is trying to solve is obvious, it’s far from clear that suppression is the right answer, especially in this particular case.”

Steve’s post contains excellent context, putting the issue in context of nuclear secrets, cryptography and software vulnerability disclosure. I want to follow up a bit on his closing:

The ultimate decision may rest on personal attitudes. To quote Fouchier one more time, “The only people who want to hold back are the biosecurity experts. They show zero tolerance to risk. The public health specialists do not have this zero tolerance. I have not spoken to a single public health specialist who was against publication.”

I think that personal preference is one way to think of this, and perhaps in fact, personal preference drives the choice of profession. But perhaps what’s really happening is that public health specialists are operating with a different set of drivers than “biosecurity experts.” In particular, given the very low incidence of ‘biosecurity incidents,’ perhaps ‘biosecurity experts’ are operating in a world where all threats exist only on paper (or in papers). In contrast, public health professionals have real epidemics and pandemics to deal with. They’re forced to deal with the propaganda of anti-vaccination nuts whose fear of autism is killing people with whooping cough and other diseases. They have to deal with contamination of the food supply. They can reasonably prioritize preventing salmonella or e.coli over theoretical terrorist threats.

However, this narrow focus on preventing all problems (in contrast to risk management, cost-benefit or other pragmatic approaches) is not unique to bio-security experts. The security professional, focused by definition on security, will naturally tend towards zero tolerance for risks.

An example, already reduced to absurdity, is visible in the TSA. Their goal is not balanced security, it’s a relentless and offensive pursuit of security at the expense of dignity, calm, and cupcakes. But we should not be surprised at their pursuit of the cupcake. It’s the natural result of having an agency focused entirely on security.

This is, by the way, relates to why CISOs should report into a functional area of the business, be it operations or IT, rather than reporting to the CEO. If the CISO is focused entirely on security, then those concerns need to be balanced with the overall operational picture by someone with accountability for delivering of a whole to the business, not treated as some special magic.

Twitter Weekly Updates for 2012-01-01

  • RT @timoreilly Amazon patents inferring religion from choice of wrapping paper << Over the "creepy" line #
  • RT @kevinmitnick Did you ever want a blue box to make free calls? Now you can in the Apple app store. Search for "blue box". EPIC!!! #
  • I wonder what Woz thinks of being able to get a blue box on his apple phone? (cc @kevinmitnick) #
  • I'm super-happy to see @rmogull, @Beaker, @nselby & more arguing over quality & speed of breach disclosure. #AVeryNewSchoolChristmas 🙂 #
  • It's cool that Skype's preferences uses a segment of 1984 as the sample chat when showing that logs are kept. #
  • Very interesting history of names at #28c3 /cc @_nomap @privacyint #
  • RT @doctorow Adversarial stylometry data-set/research #28C3 < Totally rad! #
  • RT @jeremiahg New blog post: "Terrified" << Kudos on speaking up! #
  • RT @Beaker Easy, because "outcomes" require analysis, modeling & understanding. Controls can be bought, installed & checked off #
  • So has anyone written up an analysis of the GoD dump? (mm.txt) #
  • RT @evilcyber I can probably narrow the GOOG stuff down to about a 6 month window in 2003. 🙂 << There's stuff when Aleph1 was at SFocus #
  • RT @argvee @evilcyber @adamshostack we got it down to 3. #

Powered by Twitter Tools