Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password aging

From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: Wed, 14 Jan 2004 10:03:54 -0800
Yes - the mole scenario.  Assuming the use never looks at the access
log file they might never notice.  However - how did the mole learn
the passwd in the first place?

If you make the assumption that the only way a mole could have gotten
the password is overtly from the user sharing it, then I don't think
requiring periodic changes adds anything to the security.  Requiring
changes whenever the password -is- given to someone else is another
matter.

Thanks,
       David

-----
At 11:39 AM -0600 on 1/14/04, Craig W. Drake wrote:


David,

The rationale that I see is in the situation where an attacker learns
the password of someone's account but that user never actually knows
that their account has been compromised.  By requiring that a user
change his/her password periodically, an attacker will not have
"permanent" access to that account.

And actually, I do believe that people should change their ATM PINs
periodically.


Craig W. Drake, MCSE
Windows Server Systems Administrator
Networking and Distributed Services
Northeastern Illinois University




**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: