Re: Please do not change your password

["Jones, Dan" <Dan.Jones () UMASSMED EDU>]

IMO this advice is misguided. The article asserts that the cost incurred with users changing their passwords does not 
offset any resultant security gains.

Strong passwords deter brute-forcing attacks (as does the practice of locking an account after X number of failed login 
attempts). The problem is that passwords are being harvested - so it doesn't matter how strong they are. The take-home 
for me is that if changing passwords costs too much, then we need to implement two-factor auth to compensate for 
password harvesting.

Dan

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin 
Sherenco
Sent: Wednesday, April 14, 2010 9:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Please do not change your password

Hello,
I came across an interesting article on password changes.  Author Cormac Herley of Microsoft makes a good case albeit 
just a cost-benefit analysis.  I had to go back and think of why these types of policies were created in the first 
place.  I came to my own conclusion that they were created before the days of complex password (passphrase) enforcement 
and the ability to automatically lock out accounts after X amount of failed log-in attempts.

Do you think he can convince the auditors?


http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=full

Regards,
Justin


-------------------------------------
Justin Sherenco
Security Analyst
734-487-8574
Easten Michigan University
http://it.emich.edu/security