Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Gary Dobbins <dobbins () ND EDU>
Date: Mon, 13 Apr 2009 09:04:04 -0400
Aging is not a control against every kind of threat, but it does tend to limit the amount of time a lurker can know your password and continue to use it without your knowledge. One thing we often overlook about the value of aging passwords is that it helps limit the duration of the 'silent' incursion. Does it fix every other issue, no. But, e.g. say someone learns your secret password, and you never change it. If they can keep their usage unobtrusive, the incursion can last forever. There are different controls for the local password interception threat (post-it kept under the keyboard). It's unfair to consider each password control against all threats to password secrecy, since no control handles everything. Evaluate a control against the threats it is targeting, and then look for remaining un-controlled threats.
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Monday, April 13, 2009 8:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Complexity and Aging I agree with Roger. Password aging doesn't seem to work for us. If I were to reinstate a mandatory password change every 90 days, 3M's stock price would spike from the increase of Post-It note usage. Hopefully they would remember to hide it under their keyboard. Jacob Barros Network Administrator Grace College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger Safian Sent: Friday, April 10, 2009 2:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Complexity and Aging At 12:02 PM 4/10/2009, Valdis Kletnieks put fingers to keyboard and wrote:On Thu, 09 Apr 2009 12:49:12 EDT, Matthew Giannetto said:-Change every 120 daysI'll be a heretic and remind everybody to read Gene Spafford'svery cogentcomments regarding old threat models, and new threat models, andwhat attackswe *actually* see, and what password changes actually (don't) doto mitigate... This is basically, IMHO, a religious debate. There's no right or wrong answer. Password aging has its uses. Password length and complexity have their uses as well. The problem becomes balancing the security needs of your organization against the threats you face. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 467-6437 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
- Re: Password Complexity and Aging Barros, Jacob (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Allison Dolan (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Schumacher, Adam J (Apr 13)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Doty, Timothy T. (Apr 13)
- Re: Password Complexity and Aging Karl Heins (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
(Thread continues...)