September 5, 2007
We regularly find attacks targeting user credentials (NetworkID and passwords). It is believed that the pathway to much of the internet based fraud is through the compromise of userids and passwords on users machines, either via installation of malware/trojans or via brute-force guessing of passwords. An article about the Underground Economy by the security research firm Team Cymru demonstrates that the there is a market value for a stolen user credential because of the potential benefits of access to bank accounts, corporate or university systems, or even administrator privileges to home computers. For an interesting side conversation on password choices, check out this article by Bruce Schneier about his analysis of MySpace passwords that were gathered in an attack in 2006.
The presence of of this threat, combined the condition of our dependency on the userid and password combination, highlight the need to faculty, students, and staff to change network passwords on a frequent basis. The higher frequency of password changes reduces the probability that an unauthorized user can compromise your password via guessing. A general rule of thumb is to estimate the timeframe necessary to brute-force guess passwords (undetected) and set the maximum password age just below that threshold. This does not mitigate the keystroke logging trojan, but that is where one-time passwords can be of benefit. Based on the Case password complexity requirements, it has been determined that a 180-day maximum password age is adequate.
Case currently does not require an enterprise-wide password maximum age, but individual departments are encouraged to apply more stringent requirements depending on the sensitivity of their systems and data. (here is the policy for the IT Services).
For students, we recommend you change your passwords once every semester. If your personal computer was involved in a security event (e.g. theft, or you were a victim of malware or a bot), you must change your Case and local passwords immediately after the clean up has been completed of a high probability the malware includes keystroke loggers.
You can use the Case Password Utility to check the age of your password. Keep it less than 180 days old as a benchmark. If you need to change, follow this link to the password change utility.
What do other organizations recommend? This Microsoft Technet article recommends every 30-90 Days. CERT has a guide for determining best practices, recommending no particular password age.
Here is what can happen when somebody else knows your password:
- they can access any Case LDAP-enabled service, such as your personal email, calendar, MyCase Portal, Software Center, Wiki, Blog, Filer, Forum, etc.
- if you are student employee, they can access your personal information, change your bank deposit, etc.
- they might register a computer in your name.
Remember, everything done with your Case NeworkID and Password is attributed to you. Individuals are held responsible for actions taken with their credentials and are therefore responsible for protecting them from disclosure.
Okay, what about all the other passwords you need to keep handy, such as Facebook, Yahoo, or Monster.com (for you seniors)? Try PasswordSafe. Case has a Wiki for the use of PasswordSafe.
Finally, those who have read all the way to the end of this will want to read Gene Spafford's essay on the topic of passwords and best practices.
Posted by Thomas Siu at 11:32 AM