Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please do not change your password

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 14 Apr 2010 10:47:15 -0400
On Wed, 14 Apr 2010 09:39:06 EDT, "Jones, Dan" said:


Strong passwords deter brute-forcing attacks (as does the practice of locking
an account after X number of failed login attempts).


Yes, but once the password reaches a not-too-large size, account locking is
quite sufficient to make brute-forcing impractical.  Either the brute-forcing
tool will guess the password in the first day or so, or it won't get it at all,
and password changing is *just* as likely to change it *to* a guessable
password as not.

And if there's a keystroke logger involved, it's game over no matter how often
you change your password.

How did this thread live this long and nobody's yet mentioned Gene Spafford's
analysis of how password expiration is a good solution for a threat model
that has essentially evaporated?

http://www.cerias.purdue.edu/site/blog/post/password-change-myths/

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: