Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Thu, 3 Apr 2014 15:14:51 +0000
I think you are making the same argument Shane made which is over a longer enough time, you start reducing your risk as only the most recent sites (since the last forced password change) the user has created accounts at have the same password as your local site.
Sure. I think what I was trying to add, unsuccessfully, is that the "data" could suggest that what we're saying is true. There have been many pastebin's at this point that have had accounts from our institution. So far, I am aware of none that compromised credentials. While I have no indication that these accounts ever used our password, I suggest that it seems likely that at least some of them were at one time. Now of course the contrary argument could be an institution that never has password changes AND also hasn't had any compromised accounts, which takes us right back to where we started. In an effort to find closure, I'd suggest we're all basically on the same page. Passwords are broken. They have been for a long time. We need something better. Some of us are trying various things to shore up the current system.
Current thread:
- Re: Security Awareness Programs, (continued)
- Re: Security Awareness Programs Hall, Rand (Apr 03)
- Re: Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Security Awareness Programs Joel L. Rosenblatt (Apr 02)
- Re: Security Awareness Programs Ben Woelk (Apr 02)
- Re: Security Awareness Programs Shane Williams (Apr 02)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Ruth Ginzberg (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Isabelle Grey (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)