Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

[Roger A Safian <r-safian () NORTHWESTERN EDU>]

>  I think you are making the same argument Shane made which is over a
> longer enough time, you start reducing your risk as only the most recent sites
> (since the last forced password change) the user has created accounts at
> have the same password as your local site.

Sure.  I think what I was trying to add, unsuccessfully, is that the "data" could suggest that what we're saying is 
true.  There have been many pastebin's at this point that have had accounts from our institution.  So far, I am aware 
of none that compromised credentials.  While I have no indication that these accounts ever used our password, I suggest 
that it seems likely that at least some of them were at one time.  Now of course the contrary argument could be an 
institution that never has password changes AND also hasn't had any compromised accounts, which takes us right back to 
where we started.

In an effort to find closure, I'd suggest we're all basically on the same page.  Passwords are broken.  They have been 
for a long time.  We need something better.  Some of us are trying various things to shore up the current system.