Educause Security Discussion mailing list archives
Re: Password change *recommended* -- RESULTS?
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Wed, 23 Apr 2014 21:03:45 -0500
Good morning! Brady asked: #Except in the case of an incident were passwords may have be leaked or #otherwise compromised, in which case it seems it would be a required #change and just not recommended, I'm curious to the thoughts of those #here on why you would enforce periodic password changes on users. I outlined a few reasons in an NWACC talk on passwords that you can find at https://urldefense.proofpoint.com/v1/url?u=http://pages.uoregon.edu/joe/passwords/passwords.pdf&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=bXp2kHmqqvQ6sWF4ur04lEXjzuwJrQENi85YnNSGYsA%3D%0A&m=eQubWzDOsejB4uhbGazdQUzcuC6l5OjfJ7TGvTa%2BNiw%3D%0A&s=912dbbc39d1a4bd96e678a42c181ecf550e5cab95ae98178136c7b5e596ff31a (section 4 talks about the password change issue) That said, the fundamental problem is that at this stage of the game, plain old passwords just aren't good enough anymore -- yet we still don't see ubiquitous deployment of multifactor on most campuses. Why? I attempted to discuss some of the reasons that people may have *historically* had, and why they may no longer be applicable, in a talk I did last week in Denver at the Internet2 Global Summit; see https://urldefense.proofpoint.com/v1/url?u=http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=bXp2kHmqqvQ6sWF4ur04lEXjzuwJrQENi85YnNSGYsA%3D%0A&m=eQubWzDOsejB4uhbGazdQUzcuC6l5OjfJ7TGvTa%2BNiw%3D%0A&s=946b765ebc682f9a5f855ce0bbeab1e2515829413bb208090b0810ce4b470027 If you all are not doing multifactor, did I catch the reason(s) why in thos slides? If I missed a fundamental reason, I'd love to hear about/understand it better. Do we all just secretly love passwords for some sort of weird cultural reasons? :-; Regards, Joe
Current thread:
- Re: Password change *recommended* -- RESULTS?, (continued)
- Re: Password change *recommended* -- RESULTS? Williams, Charles (Apr 17)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 17)
- Re: Password change *recommended* -- RESULTS? Brad Judy (Apr 18)
- Re: Password change *recommended* -- RESULTS? David Walker (Apr 23)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 23)
- Re: Password change *recommended* -- RESULTS? Joseph Tam (Apr 17)
- Password change *recommended* -- RESULTS? Pedersen, Krystal (Apr 23)
- Password change *recommended* -- RESULTS? Pedersen, Krystal (Apr 23)
- Password change *recommended* -- RESULTS? Pedersen, Krystal (Apr 23)
- Re: Password change *recommended* -- RESULTS? Chris Green (Apr 24)
- Re: Password change *recommended* -- RESULTS? Joe St Sauver (Apr 23)