Security of using sudo rather than su?

[Tony Arnold]

Adam,

On Thu, 2006-09-14 at 18:39 +0100, Adam Funk wrote:

> I'm under the impression that forcing users to change passwords very
> frequently (and I realize you're not necessarily advocating *frequent*
> changes) is bad for security --- because the increased cognitive load
> leads them to pick lower-quality passwords than they might otherwise
> use and to try to rotate them (e.g. 4lm0nds1 -> 4lm0nds2 -> 4lm0nds3
> and so on until the system will let them use the first one again).

I had this very discussion with some colleagues at work today.

You can of course enforce a fairly strict policy on passwords (most
organisations with sensible security policies should have a password
policy). You can restrict by length of password and enforce a minimum
length. You can enforce the use of non alpha/numeric characters or
enforce a suitable mix of alpha and numeric, and of course you can
enforce how often passwords should be changed and and in what time
period a password can be re-used, if at all.

But then there is the human element, as always! The stricter the policy,
the more likely it is that users will forget their passwords thus
potentially creating more calls to the support desks, or will write them
on a Post-It (tm) note and stick it on their monitor. So one has to have
the right balance to manage these issues.

The idea of changing passwords on a regular basis was apparently based
on how long it would take to crack a password using brute force
techniques. Unfortunately, it appears that some of the recommendations
are based on crack time of twenty years ago, when the time needed was
several months. With modern technology, the times are down to under an
hour, so to beat that, we would have to change our passwords every 30
minutes or so!

Having said all that, the owner/user of a single user desktop machine is
free to manage his/her password however they like. I would advocate
using as long a a password as you can and mix alphas and numeric and
other symbols if possible.

Regards,
Tony.
-- 
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold