Educause Security Discussion mailing list archives

Re: For IP; Re: good read: Please do not change your password

From: Vik Solem <vik.solem () TUFTS EDU>
Date: Fri, 23 Apr 2010 08:53:48 -0400

Apologies for a delayed reply.  Sometimes I think slowly.

On Apr 16, 2010, at 11:55 , Gene Spafford wrote:

I posted this back in 2006.   It is germane to this discussion:
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/



I have to disagree.  Whether it is obtained via Disclosure, Inference,
Exposure, Guessing, Cracking, or Snooping, a stolen password has
value.  That value increases with the length of time that the stolen
password is usable.  Allowing a password to remain unchanged for years
increases the value of the password therefore increasing the incentive
for an attacker to obtain password hashes surreptitiously for off-line
processing with tools such as l0phtcrack and john the ripper.
Periodically requiring a password to be changed decreases the value of
the password, and therefore decreases the incentive for an attacker to
obtain it or its hash.  As part of defense in depth I think that
passwords should be changed periodically.

-Vik

Vik Solem
Sr. Applications Risk Consultant
Information Security
Tufts University UIT / 617-627-4326

Check Out the UIT Information Security Team blog
http://blogs.uit.tufts.edu/infosecteamblog/

Current thread:

For IP; Re: good read: Please do not change your password Gene Spafford (Apr 16)
- <Possible follow-ups>
- Re: For IP; Re: good read: Please do not change your password Stephen John Smoogen (Apr 16)
- Re: For IP; Re: good read: Please do not change your password Russell Fulton (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Don Cochran (Apr 17)
- Re: For IP; Re: good read: Please do not change your password Gene Spafford (Apr 21)
- Re: For IP; Re: good read: Please do not change your password Vik Solem (Apr 23)