Educause Security Discussion mailing list archives
Re: Frequency of password change
From: Melissa Guenther <mguenther () COX NET>
Date: Tue, 23 Aug 2005 07:47:39 -0700
Here's one viewpoint: Consider the "sensitivity of the resources which you are trying to protect" and suggest "enforcing password changes somewhere between once per fiscal year and once per fiscal quarter". Just use good judgment and don't be lazy. Changing a password is relatively quick and painless compared to the irritating and expensive process of combating identity theft. I also promote ways to construct passwords in a way that is a systemic approach - having a few strong passwords, then drop one or two characters and add replacement characters - somewhat of a rotating approach. I am very sensitive to balancing protection with production! Melissa ----- Original Message ----- From: "Gary Flynn" <flynngn () JMU EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tuesday, August 23, 2005 6:02 AM Subject: Re: [SECURITY] Frequency of password change
Gene Spafford wrote:I know this has been a topic here before, but I failed to archive the info. Does anyone have references to any good studies that show that changing passwords once a month (or every 8 weeks, etc) is too FREQUENT and leads to more cases of people forgetting passwords, picking trivial passwords, writing them down, etc.Another topic to explore is the number of security incidents that an organization has experienced that would have been prevented by more frequent password changes. If that number is low, it would seem logical to expend limited resources (and end user patience) on other areas of vulnerability. Not that changing passwords is a bad thing. But it can be taken to extreme when the proper way to solve the problem that frequent changes are trying to address is multi-factor authentication or OTP. -- Gary Flynn Security Engineer James Madison University
Current thread:
- Frequency of password change Gene Spafford (Aug 22)
- <Possible follow-ups>
- Re: Frequency of password change Brian Wheeler (Aug 22)
- Re: Frequency of password change Penn, Blake (Aug 22)
- Re: Frequency of password change Gene Spafford (Aug 22)
- Re: Frequency of password change Gary Flynn (Aug 23)
- Re: Frequency of password change Melissa Guenther (Aug 23)