Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Tue, 14 Apr 2009 14:56:06 +1200
On 11/04/2009, at 7:54 AM, Valdis Kletnieks wrote:
On Fri, 10 Apr 2009 13:51:17 CDT, Roger Safian said:This is basically, IMHO, a religious debate. There's no right or wrong answer. Password aging has its uses. Password length and complexity have their uses as well. The problem becomes balancing the security needs of your organization against the threats you face.I have *no* problems with an organization saying "We've thought about it, and password aging solves real and actual *current* problem XYZ for us" (for example, if you're using that as a proxy for disabling unused accounts - which *is* a good thing). It's all the sites that are implementing password aging to solve last century's issues without thinking about the *current* issues.
I'm generally not in favour of regular password changes, however as Roger and Valdis both point out, there are problems that they go some way to mitigating. If you don't have something in place to make sure people's credentials are revoked when they leave password ageing will help, albeit after a potentially long time. Another argument for password ageing is that it shortens the useful life of credentials that have been compromised. There was recently a case that went through the courts here where an employee was approving false invoices from her husband's firm -- they got away with it for two years until they got too greedy. A key part of the scheme was that the woman had managed to get a co worker to reveal here password and used this account to provide the second approval needed to make the payments. Had the co-worker been forced to change their password every 90 days the losses would have been a few hundred dollars rather than several tens of thousands. My personal belief is that things like financial approval should be protected by two factor authentication and that administrative mechanisms should be in place to disable credential when folk leave thus rendering these arguments for password ageing void. I do think that everyone should change their password at least once a year, simply as a way of reminding people that passwords are important and it also gives a point of contact each year where people can be directed to new policies that have come into force or ones that have changed since they last changed their password. Russell
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Perloff, Jim (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 14)
- Re: Password Complexity and Aging Perloff, Jim (Apr 30)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 30)
- Re: Password Complexity and Aging Vedda, Michael (Mike) (Apr 30)
- Re: Password Complexity and Aging randy marchany (Apr 30)
(Thread continues...)