I usually define “expert” as anyone who knows enough more about a subject than I do that I can at best barely understand what they’re telling me.
Regrettably, this means, through the miracle of recursion, that when I claim to be an expert that pretty much means I at best barely understand what I’m talking about.
And so it came to pass that regular correspondent Will Pearce, in response to last week’s KJR, and in particular my advice regarding key rotation (“Bob vs the cloud,” 6/4/2018), kindly commented, “It sounds like your information on password security is a bit old.”
It turns out NIST has revised its security guidelines. Its source document is, shall we say, information-dense (translation: you won’t be able to just skim it). Mr. Pearce suggested a more readable summary to accompany it (“Time to rethink mandatory password changes,” Lorrie Cranor, Federal Trade Commission Chief Technologist).
The very short version: Not only does frequent password expiration provide no additional security, but it’s often counterproductive: Faced with the need to change passwords on a regular basis, many users choose less secure keys, often easily guessed permutations of previous keys.
A bit of additional research revealed that the complementary practice of asking security questions for password recovery (“What is your mother’s maiden name?”) is pretty much pointless given how few secrets any of us have any more and given our natural inclination to choose questions whose answers we’re most likely to remember later on (see “Google Study Shows Security Questions Aren’t All That Secure,” Frederic Lardinois, Tech Crunch, 5/21/2015).
I wasn’t able to find a good source for the question of whether frequent administrative and cryptographic key rotation is still considered good practice.
All of this led me to reconsider my definition of “expert.” Seems to me an expert is someone who, faced with new evidence and logic, reconsiders their beliefs, opinions, and practices. In particular they use the new evidence and logic as a pry bar, to expose to themselves the hidden assumptions on which their current views are based.
Start with the average non-InfoSec specialist’s mental image of who we’re protecting ourselves from. Very likely it’s the standard Hollywood introvert-living-in-his-mother’s basement. But as the estimable Roger Grimes (among others) has pointed out from time to time, these days you’re actually defending yourself against state actors and organized crime syndicates. That puts a very different face on the threat.
As Roger also points out, in a thoroughly depressing article titled, “5 computer security facts that surprise most people,” (CSO, 12/5/2017), 99% of all exploits are “… due to unpatched software or a social engineering event where someone is tricked into installing something they shouldn’t.”
What this means to you: On a personal level you should keep your OS and applications updated. It appears the risk from installing bad patches is lower than the risk of failing to install the important ones.
And, you should take care to avoid falling victim to Trojans and phishing attacks. In particular, inspect any link in an email before clicking on it to make sure it makes sense. This isn’t at all hard. If you receive an email purporting to be from Amazon.com, roll over any links in the message to make sure they point to somethingorother.amazon.com/somethingelseorother. Or, ignore the links altogether and navigate to whatever it was that caught your interest.
On the corporate side, other than the key rotation/password expiration issue, last week’s advice still holds, in particular the points about patch management and frequent white-hat phishing attacks used to educate employees about the same phishing attacks they need to be alert to at home.
And now, the moment you’ve been waiting for. Last week I mentioned my personal financial management software dilemma, and whether to acquiesce to the trends and use a cloud-based service. In the comments, Walt Etten was kind enough to endorse Moneydance, which, in exchange for a $49.99 license fee, stores data locally.
It’s a stark choice. On the one hand it appears there are several worthwhile free cloud-based alternatives (google “free personal financial management software”). On the other there’s Quicken or Moneydance.
It’s the classic dilemma: I can get what I want for fifty bucks, or I can come close to it for free.
It’s a tough, tough call.
Seems that the peace of mind is worth at least $50. I pay for quicken about every 3 years just to keep my data local. At 16.xx a year it’s less than one lunch and prevents a lot of sleepless nights. Eventually our non-rational minds will let go and we’ll store everything in the cloud. For now, $50 = sweet dreams.
I have always thought you get what you pay for, so I would go the local versions, although they cost a little bit.
Greetings, Bob
There is still *some* value to password rotation, but frequency is primary a try-not-to-disrupt-the-humans issue, rather than a technology issue.
In many cases, with access to sufficient resources, passwords can be cracked in far less time than password rotation would occur.
This was what offline password cracking looked like in 2012:
https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
Here’s what it looked like in 2017 with a different project:
https://securityintelligence.com/the-cracken-the-evolution-of-password-cracking/
https://securityintelligence.com/the-cracken-in-action-a-password-cracking-adventure/
When password cracking times are in hours (for 8 character passwords in 2012, and for some 12+ character passwords in 2017), then it is pretty obvious that there is no reasonable password rotation window that will address this threat by itself.
See: http://www.netmux.com/blog/cracking-12-character-above-passwords
I’d love to see some InfoSec and IT professional try to get their organization to change their passwords daily!
But a rotation of 45-90 days is not a bad or useless thing. Yes, it is true that most competent attackers, having gained access to an environment by way of a weak password, will almost certainly create a new account to ensure subsequent/continued access, but they run the risk of showing up on the radar when they do this. Accounts which rotate passwords periodically can close the door to existing attacks, and certainly to potential attacks where the attacker obtains an account database from some other system and tries to use it against different networks.
For instance, let’s say that a user of Service-A and Service-B is poorly using the same password on both services. Service-A gets hacked after a few months, but Service-B enforces a 90-day password rotation. Chances are, by the time the attacker tries to use the account on Service-B, the user has been forced to change the password.
As for passord “hints”, I highly recommend that people use online or offline password managers, and keep a record of the answers they provide there. The answers provided don’t have to be real-to-life — they simply have to be consistent to the service in question.
>*One* the one hand
Fixed – thanks.
Not sure about the definition of ‘expert’ but my definition of a smart person is someone who wants to be right at the end of the day. In other words, someone willing to change his or her mind given new information. Most folks don’t do that, and few rarely go thru _all_ their old information and reorganize it based on new facts or analysis.
As far as passwords are concerned, I’ve been fighting the expiration idea for years. Keeping a history of 24 expired passwords means I need to think of 25 passwords for each account, not one password. That’s simple analysis. No one wants to hear it after they’ve just spewed how this latest and greatest idea of theirs “improves security.”
For personal safety, on those security questions–lie. Answer every question with the word “blue” unless the question is What is your favorite colour in which case you answer “Seattle.” Your answer doesn’t have to be accurate, it just has to match (kind of like a password).
Bob, this one isn’t a dilemma, it’s a no-brainer: Spend the $50.00 and get precisely what you want. Don’t allow “free” to cloud the decision-making process. Free rarely is, and there’s simply no equivalent alternative to precisely what one wants (I wish this logic would fly in the IS/IT world, but sadly, no, it does not.) In this situation, you alone will endure whatever frustrations, stresses, etc, result from choosing what is less than ideal for you. So spend the $50.00 and be happy, even thrilled, that it cost relatively little to get something that is exactly what you were looking for. The latter is worth way more than any fifty bucks.
I’m pretty skeptical of the “free” money managers. They’re making their money somewhere, or they couldn’t afford to offer it. The question is where and how, and do you want to “pay” in those terms?
In preparation for retirement, I’m changing my passwords to: crappie, sunfish and Tonka Bay. Considering that I moved to L.A. fifty years ago, there’s probably nobody left who’ll figure them out.
I usually define “expert” as anyone who knows enough more about a subject than I do that I can at best barely understand what they’re telling me.
There is the possibility that they are “not bright” and that is why you can’t understand them.
As for “free and on the cloud” vs. “$50 and local storage”, I’ll pay for local storage. It’s like they say, anything you put on the ‘net is forever. Do you want your financials on the web?