Re: For IP; Re: good read: Please do not change your password

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

This is a little delayed -- sorry.

On Apr 16, 2010, at 4:11 PM, Stephen John Smoogen wrote:

> On Fri, Apr 16, 2010 at 9:55 AM, Gene Spafford <spaf () cerias purdue edu> wrote:
> > I posted this back in 2006.   It is germane to this discussion:
> > http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
>
> I will say that when I first read this in 2006 I was against it. Well,
> I was bombarded with 20 forwards of it when it came out as we were
> doing our 90 day change of passwords by the next one I think it went
> to 200....

Ouch!  Sorry, about that.  I had no idea so many people have actually ready some of my blog posts!


> 1) Its not the message that Dr Spafford wrote, but how the letters
> forwarded them. Usually with a snide comment about how it is clear
> IT/IS were idiots and Gene Spafford agreed with them. Of course, I
> think that sets a bad precedent and makes the IT person getting it
> much less to agree with Dr Spafford's advice.

Yes, and it is contrary to how I would express it!   The people with the change policies are trying to do the right 
thing, and that does not make them idiots.  But many security people set policies that annoy users without (a) 
understanding the basics of the policies, and (b) explain it to the users in a way that encourages them to be part of 
the solution.

> .... Me I recommend that

> if you are a security person stuck in a passive aggressive place... go
> find a better job elsewhere.

This parallels one of my older aphorisms -- which, restated, is that if you have security responsibility but no 
matching authority, then your role is to take the blame and it is best to move on before that happens.