Changing Passwords

Dr. Eugene Spafford has some harsh words for the practice of requiring monthly password changes. After looking at all the ways in which a password might be compromised — disclosure, inference, exposure, loss, guessing, cracking, and snooping — he concludes convincingly that there is no solid case to be made for mandating that users change passwords periodically.

Defintely interesting stuff. But more interesting was Spafford's story about how changing passwords became a "best practice".

Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their “best practice” that they expected.

So there you go. Take this to your sysadmin the next time your office computer tells you your password is about to expire.

Posted at 5:23 pm by Eric :: Technology :: Comments (0) :: Trackbacks (0)

"1, 2, 3, 4, I Declare a Turf War"

After Scott McClellan resigned, word was that Fox News' Tony Snow was ready to step up to the podium. Hotline clues us in on why that hasn't happened yet:

In the meantime, Fox Newser Tony Snow is said by Republicans familiar with the negotiations to have asked for guaranteed access to the president's ear and to an unusually large degree of latitude to reconfigure the WH press operation. That pleases the new chief of staff, who wants to relegitimize the press podium in the Brady briefing room.

But Snow, not content to be a herald, also wants near-complete control over what he says from the podium, be it bromides, platitudes or substance. That would encroach on the broad portfolio of responsibilities that Dan Bartlett claims for himself.

I'm not sure how all this will shake out. Bolton's clearly got the momentum. But Bartlett is an old hand, and while every other West Wing insider has taken a full dose of criticism recently, he seems to have been the exception.

Echoing PZ Myers, I have to admit, though, that I'm pulling for Tony Snow. His arrogance alone guarantees that he will continue to bully the truth at the White House just as he does at Fox News. Of course, lying by a Bush press secretary is nothing new, but Snow's record shows he is a fan of personal attacks as well. All he needs to do is call someone an idiot, and the resulting firestorm will make McClellan's last few gaggles look like a tea party. If he gets the blank check he's asking for from Bolton, I give him 6 months max.

Update: According to the WaPo, it's Snow.

Posted at 11:33 am by Eric :: Politics :: Comments (0) :: Trackbacks (0)

Market Economy

It looks like some Afghani merchants are learning all about supply and demand:

Traders at the bazaar near Bagram's main gate were openly displaying pilfered U.S. military memory drives in their shops Monday, two weeks after the Los Angeles Times reported on the black market in computer equipment, some of which contained American military documents marked "Secret."

U.S. soldiers spent thousands of dollars later that week buying scores of flash memory drives from the bazaar. The soldiers walked through the black market with a box of money, purchasing all the computer equipment they could find.

For several days afterward, no more memory drives were available.

But an 18-year-old Afghan man who works on the base said that by Friday, memory drives were being smuggled off the base again. The devices are smaller than disposable lighters.

Several shopkeepers have said in recent days that they are eager for the military to return to the market so they can sell their new stock for premium prices.

It's easy to joke about freedom to trade in stolen merchandise being on the march, but seriously, you really have to wonder what the hell is going on here. Is the computer infrastructure at Bagram so primitive that staff has to rely on old-school sneaker-net to move documents around? Or is this a case where convenience continues — inexplicably — to trump security, even after the security hole has been widely publicized? And why did it take the military so long to respond to a problem — even in a completely half-assed way — that was, literally, right on their doorstep?

One shopkeeper said he had been selling pilfered American military flash drives for four years, mostly to young Afghan computer users looking for cheap equipment, but also to some foreigners.

"I may have sold thousands of these flashes since I have come and opened this shop," the shopkeeper said. He asked not to be named because he feared retribution.

So let me get this straight: The President tells me that everything changed on 9/11, and that means the government gets to tap my phone, read my email, and review my library records. But when it comes to security at a front-line military installation, well, who can really be bothered with that? Unbelievable.

Posted at 10:07 am by Eric :: Politics :: Comments (0) :: Trackbacks (0)