Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Wayne Wilson <wwilson () UMICH EDU>
Date: Mon, 30 Aug 2004 14:01:05 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Bradner wrote: | | so changing forcing a passwd change reduces the window of vulnerability | so if an attack lags the interception of the password by a long time | changing the password helps - but if the attack comes soon after | the compromise changing the passwd does nothing useful | Standard practice for frequent password changing usually is implemented on a fixed time schedule, i.e. something like once every 6 months. What Scott demonstrated was that it is not a fixed time interval that causes passwords to go bad. It is explicitly related to compromises and their appearance and effectiveness in the wild. This means that a policy designed to protect passwords by changing them ~ might have a variable time requirement, perhaps triggered by 'threat alert levels'. But maybe that's not needed at all. In order to know if variable time is the correct response or to know whether taking a simpler approach of once every week, once every month, once every quarter, once every year, etc; we need to know some numbers to plug in to the risk evaluation. I don't have those numbers, I am hoping that someone does. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBM2thY+HG7UEwVGERAjreAJ4zOvE2RQc5YQR2XkpiL6WInfx2lQCgyQ6D ViUW5hBes2ttcFDj71yQ3SQ= =EFK9 -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
- Re: Password Cracking & Consequences Davis, Thomas R. (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Cal Frye (Aug 28)
- Re: Password Cracking & Consequences Jere Retzer (Aug 28)
- Re: Password Cracking & Consequences Brian Eckman (Aug 29)
- Re: Password Cracking & Consequences Ron Parker (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)