nanog mailing list archives

Re: Dear Linkedin,

From: valdis.kletnieks () vt edu
Date: Fri, 08 Jun 2012 21:30:00 -0400

On Fri, 08 Jun 2012 15:33:29 -0700, Hal Murray said:

Yes; of course if most of those accounts are moribund and unused then you
don't need to change them so often, but the passwords you use frequently
should be changed at regular intervals.

It's pretty commonsensical once the threat is understood.


Does anybody have a good URL explaining that idea?  It's been kicking around
for many years.  I've never seen a convincing writeup.


Gene Spafford did a nice analysis of the *contrary* a while ago, that changing
and expiring passwords is essentially useless against the current threat model
(he was writing about mandatory changes, but all the arguments hold up just
fine for "should be changed" as well):

http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/

Attachment: _bin
Description:

Current thread:

Re: Dear Linkedin,, (continued)
- - Re: Dear Linkedin, Derrick H. (Jun 08)
    - EBAY and AMAZON Brandt, Ralph (Jun 11)
    - Re: EBAY and AMAZON Henry Yen (Jun 11)
    - Re: EBAY and AMAZON Jo Rhett (Jun 11)
- Re: Dear Linkedin, Hal Murray (Jun 08)
  - Re: Dear Linkedin, Alec Muffett (Jun 08)
    - Re: Dear Linkedin, Joel jaeggli (Jun 10)
    - RE: Dear Linkedin, John Souvestre (Jun 10)
    - Re: Dear Linkedin, Joel jaeggli (Jun 10)
    - Re: Dear Linkedin, valdis . kletnieks (Jun 10)
  - Re: Dear Linkedin, valdis . kletnieks (Jun 08)
  - Choosing Passwords Jay Ashworth (Jun 09)
- Re: Dear Linkedin, Hal Murray (Jun 08)
  - Re: Dear Linkedin, Mike Hale (Jun 08)
  - Re: Dear Linkedin, Barry Shein (Jun 09)
    - Re: Dear Linkedin, Jay Ashworth (Jun 09)
    - Re: Dear Linkedin, Lyle Giese (Jun 09)
    - Re: Dear Linkedin, Joe Greco (Jun 10)
    - Re: Dear Linkedin, Mikael Abrahamsson (Jun 10)
    - Re: Dear Linkedin, Barry Shein (Jun 10)
    - Re: Dear Linkedin, John T. Yocum (Jun 10)

(Thread continues...)