SlideShare ist ein Scribd-Unternehmen logo

Problems with Password Change Lockout Periods in Password Policies

Als DOCX, PDF herunterladen
Michael J Geiser
Michael J Geiser

One common component of Password Policies, Password Lockout Periods, can cause worse security issues then the problem it is looking to solve

Internet
1 von 4
Problems with Password Change Lockout Periods in Password Policies A common feature in many Corporate Password Policies is a “Password Change Lockout Period.” This type of policy requires that after a user changes their password to wait for a lock out period to expire before the user can change their password again. This type of policy originated as method to compensate for a technical limitation for a specific type of user Directory store originally used in the 1970s that is now outdated and should not still exist in Policies. An unfortunate by-product of this carry over is that a Password Change Lockout Period actually reduces the strength of the Password Policies and puts systems at risk to attacks based on Social Engineering exploits. Password Policy Example Here is an example of a corporate Password Policy from a previous employer: Enter new password. Your new password must comply with the password policy:  The password must meet the system complexity requirements: o Not contain all or part of the user's account name o Contain characters from three of the following four categories:  English uppercase characters (A through Z)  English lowercase characters (a through z)  Numerals (0 through 9)  Non-alphabetic characters (such as !, $, #, %)  The password must meet the password length requirements of the system. The minimum password length: 8.  The password must meet the password history requirements of the system. The number of passwords to store: 13.
 The password must meet the password maximum age requirements of the system. Maximum password age: 90.  The password must meet the password age requirements of the system. Minimum password age: 1. The last bullet is the Password Change Lockout Period and is the problem: "The password must meet the password age requirements of the system. Minimum password age: 1" (1 day in this case). I briefly go over the background on why a Password Change Lockout Period was originally needed and why this type of rule adds complexity to the password management process and does not increase the security of the processes but instead actually makes a system less secure. A little Password Policy history (as I remember it): Directories at one time were the most commonly used (and are still extensively used) user store on both *NIX and Windows systems. Originally, Directories only stored the current password and the date the password was last changed. With this data, it was simple to implement a "must change password every x days" password aging policy. Crafty users realized that when they were forced to change their password they could simply change it a second time immediately after the first and go back to their original password, bypassing the password expiration policy. Administrators realized that users (and often times the admins themselves) were doing this, and the Password Policy arms race began. A new multi-value field for “Password History” was added to the Directory schema along with a global “Password History Length” value. Users were not allowed to reuse a password until the user exceeded the number of interim password specified by the value in Password History Length. Users then fired the next volley by changing passwords enough times in a rapid succession to exceed the password reuse policy limit and go back to their original password. Admins fired back by raising the Password History Length to a larger number (such as 50) to make manually cycling through passwords to get back to the user’s favorite password difficult. Crafty users returned fire by scripting password changes. The Admins' solution to this end run around The Password History Length was to limit the number of user initiated passwords changes to (what was usually) one password change per day. This way if the password history limitation was set to 5 and the users could only change their password once a day, the original password couldn't be reused for at least 5 days and that was often enough of a hassle to dissuade users from changing their passwords on 5 successive days. Admins were still allowed to change a user's password without restrictions to allow password resets if the user forgot their new password. LDAP based Directories, such as OpenLDAP, were often the primary data store for authentication systems and still work this way today. (http://www.openldap.org/doc/admin24/overlays.html)
Although harder to implement and not seen in many Directory implementations, Password Aging Policies that prevent users from reusing a password until a specified elapsed time period (such as 90 days) have emerged. This feature makes a password change lockout period irrelevant and solves other inherent issues. Consider these two rules:  The password must meet the password history requirements of the system. The number of passwords to store: 13.  The password must meet the password maximum age requirements of the system. Maximum password age: 90. These two rules ensure that a password is not reused for both at least 90 days and until 13 other passwords have been used in the interim; the 1 day aging requirement is superfluous in this case. If the user is allowed to change their password immediately and repeatedly (for any number of times) a prior password still cannot be reused for 90 days instead of the "work around" of Password Reuse threshold times the Password Change Lockout Period The Securityimplications of Password Change Lockout Periods A frequently voiced concern for Password Change Lockout Periods is there are (allegedly) social engineering attack exposures with allowing users to repeatedly change passwords. I do not find this to be a supportable reason for a Password Change Lockout Period. It must be assumed that the mechanism to change passwords is secure. Changing a password more than once a day (or any time period) cannot be any more or less insecure than changing a password an unlimited number of times per time period or the entire process is NOT secure. It is a problem if the user can cycle back to a previous password, but the elapsed time reuse restriction will eliminate this concern. I have also heard the argument that "there is no reason that users should need to change a password more often"; this is a flawed assumption. Consider this scenario: A user changes their password and suspects the new password was "shoulder-surfed" and wants to change their password again to maintain their login integrity or maybe the user realize the person they just hung up with really wasn't from IT and they probably shouldn’t have given the caller their login credentials. That is a serious issue but a rule requiring 24 hour limits between user initiated password changes unnecessarily lengthens the time until the password can be reset. Supporters for a Password Change Lockout Period state that a user password can be changed more than once a day; the limit is one user initiated password change in a 24 hour period and an administrator can make an unlimited number of subsequent password changes. This process leaves an account potentially exposed until an administrator can be contacted and resets the password. This process also adds expense and delay (which weakens the overall security of the system) without adding any benefit. Furthermore, administrators are frequently allowed to set insecure passwords for users and often use the same password for all clients when they reset passwords. It is even worse when there is an actual IT policy that all resets use the same weak and documented dictionary password like "Password1". This was the case for my previous employer that used the policy I used as an example. If it is widely known that the company uses "Password1", "Welcome1" or any other
standard or documented password and the users will not be able to change their password for 24 hours, this could be a serious security issue. A legitimate requirement is that user initiated password changes must be self-service and not require admin assistance whenever possible provided security is not legitimately compromised. Realistically, requiring a user to reach out to an admin to reset a password is expensive; it takes time away from the user's productivity, it requires a human on staff to process the password change and the fully loaded cost of the admin (benefits, floor space, computers, call center infrastructure, etc...). A social engineering attack exploiting a Password Change Lockout Period and Administrators using weak passwords would avoid almost all the "red flags" users are trained to recognize as danger signs of a phishing or social engineering exploit attempt. The attacker could tell the target "don't tell me your password, that is against IT policy and dangerous; call the helpdesk and have them reset your password. Remember; don't ever tell anyone your password!" Of course the attacker will already know what this user's password will be for the next 24 hours and the system is vulnerable. It would also be easy to iterate over a known list of users trying the well know reset password; eventually an account with reset password will be discovered. I can think of only one supporting argument for type of Password Change Lockout Period (but with a slightly different implementation) for preventing a Denial of Service attack. If a user login is compromised by an attacker so they can successfully login, the attacker could script successive password changes with the intent of either crashing the system by degrading the performance of the Authentication System as the Password History tables become unnaturally large or filling the allotted drive space of the database from password changes. Allowing a number of changes (more than 1) in a set time period (e.g. 5 changes in the previous 24 hours) allows for a reasonable number of legitimate user initiated changes without requiring admin intervention and prevents a legitimate DoS vector. In summary, the need for a Password Change Lockout Period should no longer exist and this relic from the 1980s introduces unnecessary limitations that reduces your overall security. We should all consider eliminating Password Change Lockout Period from our systems. https://help.salesforce.com/articleView?id=admin_password.htm&type=0 “Require a minimum 1 day password lifetime” “When you select this option, a password can’t be changed more than once in a 24-hour period.”

Empfohlen

Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
Raja Waseem Akhtar
 
Ch10
Ch10Ch10
Ch10
Raja Waseem Akhtar
 
Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple Passwords
PortalGuard
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
nFront Security
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Hitachi ID Systems, Inc.
 
Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and Compliance
PortalGuard
 
Active directory account lockouts
Active directory account lockoutsActive directory account lockouts
Active directory account lockouts
Richard Diver
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
richarddxd
 

Empfohlen

Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
Raja Waseem Akhtar
 
Ch10
Ch10Ch10
Ch10
Raja Waseem Akhtar
 
Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple Passwords
PortalGuard
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
nFront Security
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Hitachi ID Systems, Inc.
 
Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and Compliance
PortalGuard
 
Active directory account lockouts
Active directory account lockoutsActive directory account lockouts
Active directory account lockouts
Richard Diver
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
richarddxd
 
IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]
Akram Abbasi
 
Password management
Password managementPassword management
Password management
PortalGuard dba PistolStar, Inc.
 
Performance Requirements: CMG'11 slides with notes (pdf)
Performance Requirements: CMG'11 slides with notes (pdf)Performance Requirements: CMG'11 slides with notes (pdf)
Performance Requirements: CMG'11 slides with notes (pdf)
Alexander Podelko
 
ILANTUS Password Express FAQs
ILANTUS Password Express FAQsILANTUS Password Express FAQs
ILANTUS Password Express FAQs
ILANTUS Technologies
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
Rare Input
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
jemtallon
 
oracle
oracleoracle
oracle
tarunamoria
 
Discussion Post an article review (minimum of 200 words) relat
Discussion Post an article review (minimum of 200 words) relatDiscussion Post an article review (minimum of 200 words) relat
Discussion Post an article review (minimum of 200 words) relat
LyndonPelletier761
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
Gloria Stoilova
 
Graphical Password Authentication using Image Segmentation
Graphical Password Authentication using Image SegmentationGraphical Password Authentication using Image Segmentation
Graphical Password Authentication using Image Segmentation
IRJET Journal
 
Ce hv6 module 61 threats and countermeasures
Ce hv6 module 61 threats and countermeasuresCe hv6 module 61 threats and countermeasures
Ce hv6 module 61 threats and countermeasures
Vi Tính Hoàng Nam
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User Provisioning
Hitachi ID Systems, Inc.
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
aminpathan11
 
IAM Password
IAM PasswordIAM Password
IAM Password
Aidy Tificate
 
The Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementThe Business Case for Account Lockout Management
The Business Case for Account Lockout Management
Netwrix Corporation
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Self Service Reset Password Management Survey Report
Self Service Reset Password Management Survey ReportSelf Service Reset Password Management Survey Report
Self Service Reset Password Management Survey Report
Tools 4 Ever
 
Salesforce admin training 2
Salesforce admin training 2Salesforce admin training 2
Salesforce admin training 2
HungPham381
 
Concept Presentation
Concept PresentationConcept Presentation
Concept Presentation
Christine Rosakranse
 
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Matthew Gerrior
 
CI / CD Roles, Processes and Supporting Tools
CI / CD Roles, Processes and Supporting ToolsCI / CD Roles, Processes and Supporting Tools
CI / CD Roles, Processes and Supporting Tools
Michael J Geiser
 
AWS Cost Reduction and Management Plan
AWS Cost Reduction and Management PlanAWS Cost Reduction and Management Plan
AWS Cost Reduction and Management Plan
Michael J Geiser
 

Weitere ähnliche Inhalte

Ähnlich wie Problems with Password Change Lockout Periods in Password Policies

IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]
Akram Abbasi
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
jemtallon
 
Discussion Post an article review (minimum of 200 words) relat
Discussion Post an article review (minimum of 200 words) relatDiscussion Post an article review (minimum of 200 words) relat
Discussion Post an article review (minimum of 200 words) relat
LyndonPelletier761
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User Provisioning
Hitachi ID Systems, Inc.
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
aminpathan11
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 

Ähnlich wie Problems with Password Change Lockout Periods in Password Policies (20)

IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]
 
Password management
Password managementPassword management
Password management
 
Performance Requirements: CMG'11 slides with notes (pdf)
Performance Requirements: CMG'11 slides with notes (pdf)Performance Requirements: CMG'11 slides with notes (pdf)
Performance Requirements: CMG'11 slides with notes (pdf)
 
ILANTUS Password Express FAQs
ILANTUS Password Express FAQsILANTUS Password Express FAQs
ILANTUS Password Express FAQs
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
 
oracle
oracleoracle
oracle
 
Discussion Post an article review (minimum of 200 words) relat
Discussion Post an article review (minimum of 200 words) relatDiscussion Post an article review (minimum of 200 words) relat
Discussion Post an article review (minimum of 200 words) relat
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
 
Graphical Password Authentication using Image Segmentation
Graphical Password Authentication using Image SegmentationGraphical Password Authentication using Image Segmentation
Graphical Password Authentication using Image Segmentation
 
Ce hv6 module 61 threats and countermeasures
Ce hv6 module 61 threats and countermeasuresCe hv6 module 61 threats and countermeasures
Ce hv6 module 61 threats and countermeasures
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User Provisioning
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
IAM Password
IAM PasswordIAM Password
IAM Password
 
The Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementThe Business Case for Account Lockout Management
The Business Case for Account Lockout Management
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
Self Service Reset Password Management Survey Report
Self Service Reset Password Management Survey ReportSelf Service Reset Password Management Survey Report
Self Service Reset Password Management Survey Report
 
Salesforce admin training 2
Salesforce admin training 2Salesforce admin training 2
Salesforce admin training 2
 
Concept Presentation
Concept PresentationConcept Presentation
Concept Presentation
 
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
 

Mehr von Michael J Geiser

Using JIRA to Manage Project Management Risks and Issues
Using JIRA to Manage Project Management Risks and Issues Using JIRA to Manage Project Management Risks and Issues
Using JIRA to Manage Project Management Risks and Issues
Michael J Geiser
 

Mehr von Michael J Geiser (19)

CI / CD Roles, Processes and Supporting Tools
CI / CD Roles, Processes and Supporting ToolsCI / CD Roles, Processes and Supporting Tools
CI / CD Roles, Processes and Supporting Tools
 
AWS Cost Reduction and Management Plan
AWS Cost Reduction and Management PlanAWS Cost Reduction and Management Plan
AWS Cost Reduction and Management Plan
 
2018 staffing strategy
2018 staffing strategy 2018 staffing strategy
2018 staffing strategy
 
Response on Proposal for Converting to a Gated Community
Response on Proposal for Converting to a Gated CommunityResponse on Proposal for Converting to a Gated Community
Response on Proposal for Converting to a Gated Community
 
Skeptical Inquirer Content Problems
Skeptical Inquirer Content ProblemsSkeptical Inquirer Content Problems
Skeptical Inquirer Content Problems
 
1967 lincoln continental convertible restoration v4
1967 lincoln continental convertible restoration v41967 lincoln continental convertible restoration v4
1967 lincoln continental convertible restoration v4
 
Minimum Viable Product (MVP) – “Like This / Not Like This” Redux (MVP) – “Lik...
Minimum Viable Product (MVP) – “Like This / Not Like This” Redux (MVP) – “Lik...Minimum Viable Product (MVP) – “Like This / Not Like This” Redux (MVP) – “Lik...
Minimum Viable Product (MVP) – “Like This / Not Like This” Redux (MVP) – “Lik...
 
Agile humor for slides
Agile humor for slides Agile humor for slides
Agile humor for slides
 
Agile Progress Tracking and Code Complete Date Estimation
Agile Progress Tracking and Code Complete Date EstimationAgile Progress Tracking and Code Complete Date Estimation
Agile Progress Tracking and Code Complete Date Estimation
 
Agile Release Planning
Agile Release PlanningAgile Release Planning
Agile Release Planning
 
Choosing an IdM User Store technology
Choosing an IdM User Store technologyChoosing an IdM User Store technology
Choosing an IdM User Store technology
 
Maturing Agile SDLC & workflow improvements
Maturing Agile SDLC & workflow improvementsMaturing Agile SDLC & workflow improvements
Maturing Agile SDLC & workflow improvements
 
Really useful linux commands
Really useful linux commandsReally useful linux commands
Really useful linux commands
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS Project
 
Jira workflow for documentation issue types agile edition
Jira workflow for documentation issue types agile editionJira workflow for documentation issue types agile edition
Jira workflow for documentation issue types agile edition
 
Apigee dc failover
Apigee dc failoverApigee dc failover
Apigee dc failover
 
Using JIRA to Manage Project Management Risks and Issues
Using JIRA to Manage Project Management Risks and Issues Using JIRA to Manage Project Management Risks and Issues
Using JIRA to Manage Project Management Risks and Issues
 
Approvals in jira
Approvals in jiraApprovals in jira
Approvals in jira
 
Girl Scout Cookie Sale Posters
Girl Scout Cookie Sale PostersGirl Scout Cookie Sale Posters
Girl Scout Cookie Sale Posters
 

Kürzlich hochgeladen

Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 

Kürzlich hochgeladen (20)

Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 

Problems with Password Change Lockout Periods in Password Policies

  • 1. Problems with Password Change Lockout Periods in Password Policies A common feature in many Corporate Password Policies is a “Password Change Lockout Period.” This type of policy requires that after a user changes their password to wait for a lock out period to expire before the user can change their password again. This type of policy originated as method to compensate for a technical limitation for a specific type of user Directory store originally used in the 1970s that is now outdated and should not still exist in Policies. An unfortunate by-product of this carry over is that a Password Change Lockout Period actually reduces the strength of the Password Policies and puts systems at risk to attacks based on Social Engineering exploits. Password Policy Example Here is an example of a corporate Password Policy from a previous employer: Enter new password. Your new password must comply with the password policy:  The password must meet the system complexity requirements: o Not contain all or part of the user's account name o Contain characters from three of the following four categories:  English uppercase characters (A through Z)  English lowercase characters (a through z)  Numerals (0 through 9)  Non-alphabetic characters (such as !, $, #, %)  The password must meet the password length requirements of the system. The minimum password length: 8.  The password must meet the password history requirements of the system. The number of passwords to store: 13.
  • 2.  The password must meet the password maximum age requirements of the system. Maximum password age: 90.  The password must meet the password age requirements of the system. Minimum password age: 1. The last bullet is the Password Change Lockout Period and is the problem: "The password must meet the password age requirements of the system. Minimum password age: 1" (1 day in this case). I briefly go over the background on why a Password Change Lockout Period was originally needed and why this type of rule adds complexity to the password management process and does not increase the security of the processes but instead actually makes a system less secure. A little Password Policy history (as I remember it): Directories at one time were the most commonly used (and are still extensively used) user store on both *NIX and Windows systems. Originally, Directories only stored the current password and the date the password was last changed. With this data, it was simple to implement a "must change password every x days" password aging policy. Crafty users realized that when they were forced to change their password they could simply change it a second time immediately after the first and go back to their original password, bypassing the password expiration policy. Administrators realized that users (and often times the admins themselves) were doing this, and the Password Policy arms race began. A new multi-value field for “Password History” was added to the Directory schema along with a global “Password History Length” value. Users were not allowed to reuse a password until the user exceeded the number of interim password specified by the value in Password History Length. Users then fired the next volley by changing passwords enough times in a rapid succession to exceed the password reuse policy limit and go back to their original password. Admins fired back by raising the Password History Length to a larger number (such as 50) to make manually cycling through passwords to get back to the user’s favorite password difficult. Crafty users returned fire by scripting password changes. The Admins' solution to this end run around The Password History Length was to limit the number of user initiated passwords changes to (what was usually) one password change per day. This way if the password history limitation was set to 5 and the users could only change their password once a day, the original password couldn't be reused for at least 5 days and that was often enough of a hassle to dissuade users from changing their passwords on 5 successive days. Admins were still allowed to change a user's password without restrictions to allow password resets if the user forgot their new password. LDAP based Directories, such as OpenLDAP, were often the primary data store for authentication systems and still work this way today. (http://www.openldap.org/doc/admin24/overlays.html)
  • 3. Although harder to implement and not seen in many Directory implementations, Password Aging Policies that prevent users from reusing a password until a specified elapsed time period (such as 90 days) have emerged. This feature makes a password change lockout period irrelevant and solves other inherent issues. Consider these two rules:  The password must meet the password history requirements of the system. The number of passwords to store: 13.  The password must meet the password maximum age requirements of the system. Maximum password age: 90. These two rules ensure that a password is not reused for both at least 90 days and until 13 other passwords have been used in the interim; the 1 day aging requirement is superfluous in this case. If the user is allowed to change their password immediately and repeatedly (for any number of times) a prior password still cannot be reused for 90 days instead of the "work around" of Password Reuse threshold times the Password Change Lockout Period The Securityimplications of Password Change Lockout Periods A frequently voiced concern for Password Change Lockout Periods is there are (allegedly) social engineering attack exposures with allowing users to repeatedly change passwords. I do not find this to be a supportable reason for a Password Change Lockout Period. It must be assumed that the mechanism to change passwords is secure. Changing a password more than once a day (or any time period) cannot be any more or less insecure than changing a password an unlimited number of times per time period or the entire process is NOT secure. It is a problem if the user can cycle back to a previous password, but the elapsed time reuse restriction will eliminate this concern. I have also heard the argument that "there is no reason that users should need to change a password more often"; this is a flawed assumption. Consider this scenario: A user changes their password and suspects the new password was "shoulder-surfed" and wants to change their password again to maintain their login integrity or maybe the user realize the person they just hung up with really wasn't from IT and they probably shouldn’t have given the caller their login credentials. That is a serious issue but a rule requiring 24 hour limits between user initiated password changes unnecessarily lengthens the time until the password can be reset. Supporters for a Password Change Lockout Period state that a user password can be changed more than once a day; the limit is one user initiated password change in a 24 hour period and an administrator can make an unlimited number of subsequent password changes. This process leaves an account potentially exposed until an administrator can be contacted and resets the password. This process also adds expense and delay (which weakens the overall security of the system) without adding any benefit. Furthermore, administrators are frequently allowed to set insecure passwords for users and often use the same password for all clients when they reset passwords. It is even worse when there is an actual IT policy that all resets use the same weak and documented dictionary password like "Password1". This was the case for my previous employer that used the policy I used as an example. If it is widely known that the company uses "Password1", "Welcome1" or any other
  • 4. standard or documented password and the users will not be able to change their password for 24 hours, this could be a serious security issue. A legitimate requirement is that user initiated password changes must be self-service and not require admin assistance whenever possible provided security is not legitimately compromised. Realistically, requiring a user to reach out to an admin to reset a password is expensive; it takes time away from the user's productivity, it requires a human on staff to process the password change and the fully loaded cost of the admin (benefits, floor space, computers, call center infrastructure, etc...). A social engineering attack exploiting a Password Change Lockout Period and Administrators using weak passwords would avoid almost all the "red flags" users are trained to recognize as danger signs of a phishing or social engineering exploit attempt. The attacker could tell the target "don't tell me your password, that is against IT policy and dangerous; call the helpdesk and have them reset your password. Remember; don't ever tell anyone your password!" Of course the attacker will already know what this user's password will be for the next 24 hours and the system is vulnerable. It would also be easy to iterate over a known list of users trying the well know reset password; eventually an account with reset password will be discovered. I can think of only one supporting argument for type of Password Change Lockout Period (but with a slightly different implementation) for preventing a Denial of Service attack. If a user login is compromised by an attacker so they can successfully login, the attacker could script successive password changes with the intent of either crashing the system by degrading the performance of the Authentication System as the Password History tables become unnaturally large or filling the allotted drive space of the database from password changes. Allowing a number of changes (more than 1) in a set time period (e.g. 5 changes in the previous 24 hours) allows for a reasonable number of legitimate user initiated changes without requiring admin intervention and prevents a legitimate DoS vector. In summary, the need for a Password Change Lockout Period should no longer exist and this relic from the 1980s introduces unnecessary limitations that reduces your overall security. We should all consider eliminating Password Change Lockout Period from our systems. https://help.salesforce.com/articleView?id=admin_password.htm&type=0 “Require a minimum 1 day password lifetime” “When you select this option, a password can’t be changed more than once in a 24-hour period.”