Educause Security Discussion mailing list archives
Re: About password expiration and change policies...
From: Von Welch <von () VONWELCH COM>
Date: Wed, 2 Apr 2014 22:59:16 -0400
Spaf, I agree with the conclusions of your analysis, but unfortunately I think this whole debate is unlikely to progress due to a lack of hard data, we’re all just butting opinions and antedotes (and that's before we consider the usability trade-offs.) And data seems really difficult to get - any longitudinal study I’ve thought of has so many variables in play I’m not how useful the results would be. Cormac’s done the best I’ve seen, but I still don’t think it’s conclusive enough. (BTW, IU recently changed from a no-change to a regular-change password policy if someone has a good idea on how to measure that impact.) Von On Apr 2, 2014, at 10:08 PM, Gene Spafford <spaf () CERIAS PURDUE EDU> wrote:
Here's something I wrote almost exactly 8 years ago about password expiration policies. A few of you may remember it. I used to include this in my lectures at CSI and SANS courses in the 90s. https://www.cerias.purdue.edu/site/blog/post/password-change-myths/
Current thread:
- About password expiration and change policies... Gene Spafford (Apr 02)
- Re: About password expiration and change policies... Von Welch (Apr 02)