Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 14 Apr 2010 10:47:15 -0400
On Wed, 14 Apr 2010 09:39:06 EDT, "Jones, Dan" said:
Strong passwords deter brute-forcing attacks (as does the practice of locking an account after X number of failed login attempts).
Yes, but once the password reaches a not-too-large size, account locking is quite sufficient to make brute-forcing impractical. Either the brute-forcing tool will guess the password in the first day or so, or it won't get it at all, and password changing is *just* as likely to change it *to* a guessable password as not. And if there's a keystroke logger involved, it's game over no matter how often you change your password. How did this thread live this long and nobody's yet mentioned Gene Spafford's analysis of how password expiration is a good solution for a threat model that has essentially evaporated? http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
Attachment:
_bin
Description:
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Jones, Dan (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
- Re: Please do not change your password Valdis Kletnieks (Apr 14)
- Re: Please do not change your password Basgen, Brian (Apr 14)
- Re: Please do not change your password Allison Dolan (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password Jeff Kell (Apr 14)
- Re: Please do not change your password Jacob Steelsmith (Apr 14)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
(Thread continues...)