Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Ryan Fox <rfox () FINDLAY EDU>
Date: Mon, 13 Apr 2009 09:04:31 -0400
Doug Markiewicz wrote:
This assumes brute force attacks are the only reason to implement password expiration. Another argument for password expiration is the notion that, over time, passwords get revealed unknowingly and periodic changing helps to mitigate the misuse of those passwords. For example, a user might accidentally type their password into the username field which could have the side effect of logging that password. Granted changing your password 30 days from that point won't stop misuse immediately, but its perhaps a reasonable control? Maybe not. It's an argument we tossed around though.
Thanks for noting that. I completely forgot about that line of reasoning in my post. For us, we evaluated that and determined that we _should_ be catching compromised accounts by other means, and the convenience of not expiring passwords outweighed the additional security. But everyone should definitely make that determination for themselves. Thanks, Ryan
Attachment:
rfox.vcf
Description:
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
- Re: Password Complexity and Aging Barros, Jacob (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Allison Dolan (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Schumacher, Adam J (Apr 13)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
- Re: Password Complexity and Aging Doty, Timothy T. (Apr 13)
- Re: Password Complexity and Aging Karl Heins (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
(Thread continues...)