Educause Security Discussion mailing list archives
Re: For IP; Re: good read: Please do not change your password
From: Vik Solem <vik.solem () TUFTS EDU>
Date: Fri, 23 Apr 2010 08:53:48 -0400
Apologies for a delayed reply. Sometimes I think slowly. On Apr 16, 2010, at 11:55 , Gene Spafford wrote:
I posted this back in 2006. It is germane to this discussion: http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
I have to disagree. Whether it is obtained via Disclosure, Inference, Exposure, Guessing, Cracking, or Snooping, a stolen password has value. That value increases with the length of time that the stolen password is usable. Allowing a password to remain unchanged for years increases the value of the password therefore increasing the incentive for an attacker to obtain password hashes surreptitiously for off-line processing with tools such as l0phtcrack and john the ripper. Periodically requiring a password to be changed decreases the value of the password, and therefore decreases the incentive for an attacker to obtain it or its hash. As part of defense in depth I think that passwords should be changed periodically. -Vik Vik Solem Sr. Applications Risk Consultant Information Security Tufts University UIT / 617-627-4326 Check Out the UIT Information Security Team blog http://blogs.uit.tufts.edu/infosecteamblog/
Current thread:
- For IP; Re: good read: Please do not change your password Gene Spafford (Apr 16)
- <Possible follow-ups>
- Re: For IP; Re: good read: Please do not change your password Stephen John Smoogen (Apr 16)
- Re: For IP; Re: good read: Please do not change your password Russell Fulton (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Don Cochran (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Gene Spafford (Apr 21)
- Re: For IP; Re: good read: Please do not change your password Vik Solem (Apr 23)