Educause Security Discussion mailing list archives

Re: Password Expiration

From: "Geoffrey S. Nathan" <geoffnathan () WAYNE EDU>
Date: Mon, 10 Apr 2006 10:40:45 -0400

Dave Koontz wrote:

Just because something might be difficult doesn't mean you shouldn't
do it.


Harold's point wasn't that forcing password resets was difficult, but
rather that it made things /less/ secure in the long run because it
encourages riskier behavior.  Forcing people to remember a new, complex
password every six months (or perhaps more than one password if they
have separate security systems for 'just' e-mail vs. HR data or grade
entry) will inevitably lead to paper aids.  Now, that can be OK if we
encourage users to be careful with their post-its ('Don't just stick it
on the monitor...'), but it's not a slam-dunk that expiring passwords
will actually increase the security of the data.

Geoff

--

Geoffrey S. Nathan
Security Policy Coordinator, Computing and Information Technology,
and Associate Professor of English Linguistics Program
Wayne State University

Current thread:

Password Expiration Nancy R Evans (Apr 07)
- <Possible follow-ups>
- Re: Password Expiration David Walker (Apr 07)
- Re: Password Expiration Harold Winshel (Apr 07)
- Re: Password Expiration Dave Koontz (Apr 08)
- Re: Password Expiration Charlie Prothero (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 09)
- Re: Password Expiration Harold Winshel (Apr 10)
- Re: Password Expiration Bill Betlej (Apr 10)
- Re: Password Expiration Geoffrey S. Nathan (Apr 10)
- Re: Password Expiration Gene Spafford (Apr 10)
- Re: Password Expiration Harold Winshel (Apr 11)
- Re: Password Expiration Steve Worona (Apr 11)
- Re: Password Expiration David Walker (Apr 11)
- Re: Password Expiration Gene Spafford (Apr 11)
- Re: Password Expiration Stewart, Ian (Apr 12)