Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Changing keys
May 19, 2006, 6:45 pm
rate this thread
Something to do with Sarbox I think. What about changing keypairs? Is
there any real benefit to trashing old keys and generating new ones
every few months? Normally I just use a strong passphrase and change it
on my private key at the same time I change other passwords, but I was
wondering what opinions others have on the subject.
Re: Changing keys
Probably not. Particularly as changing a password or key does not keep
out someone who's previously had access and arranged to keep it with
some sort of backdoor.
Fred Cohen and Spaf have written about the logic (such as it is)
of password aging.
Forced password aging is useful for spotting unused accounts
but I think that's all.
I suggest aiming for strong passwords and letting them remain a long time.
(And a maximum length of 8 chars is not much good these days so use where
possible one of the more modern password hashes.)
One thing I especially dislike is the "password history" of N items
usually combined with a MINIMUM password age. If someone realises
they've just given their password to a phishing site they should be
able to change all their passwords right away.
If you must have a "password history" (and I don't much endorse that)
at least measure it by age and not by length: e.g. you cannot reuse a
password in a year. This means the actual length of the list (of hashes)
that is stored and banned will vary but you can prevent someone reusing
a recent password without needing to impose a minimum age.
Of course there are sometimes actual reasons to change a password (other
than age) e.g. you find that a Harry Potter character has been invented with
the name of your password and before long all the crackers will be trying it.
(Blast those stupid schoolkids with punctuation in their names!)
Elvis Notargiacomo master AT barefaced DOT cheek
Powergen write "Why not stay with us" - let me count the ways!
Re: Changing keys
Strong passphrases can be keystroke sniffed on rootkit-ed boxes, and private
and public keys stolen by various means including setups where people put
them on NFS shares, improperly secured boxes, etc.. So there is some use to
doing this in a really secure environment.
In such environments, I've tended to use ssh-agent for the "active" key and
to store a deprecated key or two as needed, for targets that didn't get the
most recent update of the public key.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum