Educause Security Discussion mailing list archives
Re: Active Directory Password Strength
From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 15 Nov 2005 09:14:39 -0600
From: Bradley Ellis [mailto:Bradley.Ellis () ITS MONASH EDU AU]
Also, you've got the cost of managing (eg service desk calls) complex passwords ... Which makes me wonder if people have comparitive studies from a overall cost of complex passwords vs two factor or other authentication measures - but that is a different argument all together.
I don't think it is another argument; you have to take all factors into account in setting a security policy. A related one is that every time you change your password you increase the risk of disclosure, for several reasons including that if you picked a strong password you probably had to write it down for at least the first few weeks until you learned it by rote; also you'll be typing more slowly and will be easier to shoulder surf. Personally I think that if you have a stong password which has not been cracked in a year of use you might as well keep it indefinitely. You *know* it isn't crackable, you don't know that for sure about your new one. The *only* advantage that changing your password offers is in the case when someone did intercept your password but decided not to use it for a long time, perhaps to cover where they got it from. In most other situations, the outcome is the same regardless of whether they got your old password or your new password. The real conclusion of course is that passwords have had their day and it's time to find something else. They're just so damn *useful* is all. (I have myself tried in the distant past other methods such as a pad of one-time-use passwords - the low-tech version that doesn't rely on having a piece of hardware - and it was just too much of a pain for day to day use.) Anyway, bottom line: I think that changing your password is itself a source of vulnerability and I disagree with the received wisdom that it is necessary. (I used to have good arguments with our internal auditor over this :-) ) Just pick a good password, and once you've memorized it, stick with it unless you see signs that your account has been compromised. (Now, being sure that you will detect a compromise, that is a different argument altogether... Oh wait, what did I say earlier ;-) ) G
Current thread:
- Active Directory Password Strength Cary, Kim (Nov 14)
- <Possible follow-ups>
- Re: Active Directory Password Strength Tim Howard (Nov 14)
- Re: Active Directory Password Strength Stewart, Ian (Nov 14)
- Re: Active Directory Password Strength Lucas, Bryan (Nov 14)
- Re: Active Directory Password Strength Bradley Ellis (Nov 14)
- Re: Active Directory Password Strength Graham Toal (Nov 15)
- Re: Active Directory Password Strength Russell Fulton (Nov 15)
- Re: Active Directory Password Strength Cary, Kim (Nov 16)
- Re: Active Directory Password Strength Graham Toal (Nov 16)
- Re: Active Directory Password Strength Eric Brewer (Nov 16)
- Re: Active Directory Password Strength Riedl, Steve Thomas (Nov 17)
- Re: Active Directory Password Strength Russell Fulton (Nov 25)