Educause Security Discussion mailing list archives
Re: Password Expiration
From: "Geoffrey S. Nathan" <geoffnathan () WAYNE EDU>
Date: Mon, 10 Apr 2006 10:40:45 -0400
Dave Koontz wrote:
Just because something might be difficult doesn't mean you shouldn't do it.
Harold's point wasn't that forcing password resets was difficult, but rather that it made things /less/ secure in the long run because it encourages riskier behavior. Forcing people to remember a new, complex password every six months (or perhaps more than one password if they have separate security systems for 'just' e-mail vs. HR data or grade entry) will inevitably lead to paper aids. Now, that can be OK if we encourage users to be careful with their post-its ('Don't just stick it on the monitor...'), but it's not a slam-dunk that expiring passwords will actually increase the security of the data. Geoff -- Geoffrey S. Nathan Security Policy Coordinator, Computing and Information Technology, and Associate Professor of English Linguistics Program Wayne State University
Current thread:
- Password Expiration Nancy R Evans (Apr 07)
- <Possible follow-ups>
- Re: Password Expiration David Walker (Apr 07)
- Re: Password Expiration Harold Winshel (Apr 07)
- Re: Password Expiration Dave Koontz (Apr 08)
- Re: Password Expiration Charlie Prothero (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 10)
- Re: Password Expiration Bill Betlej (Apr 10)
- Re: Password Expiration Geoffrey S. Nathan (Apr 10)
- Re: Password Expiration Gene Spafford (Apr 10)
- Re: Password Expiration Harold Winshel (Apr 11)
- Re: Password Expiration Steve Worona (Apr 11)
- Re: Password Expiration David Walker (Apr 11)
- Re: Password Expiration Gene Spafford (Apr 11)
- Re: Password Expiration Stewart, Ian (Apr 12)