Educause Security Discussion mailing list archives

Re: Password policy

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 1 Nov 2006 21:30:52 -0500

Geoff Nathan wrote:


But seriously, who's going to try to break into Professor Snerdwell's
e-mail account with a dictionary attack?  And unless we're worried
about month-long sustained attacks, frequent password changes are just
annoying without buying additional security.  Making people change
their passwords every ninety days doesn't teach good computer hygiene,
it annoys them and confirms their impression that the IT people have
nothing better to do.


Hear, hear!

Hackers don't crack passwords anymore, they simply present a
socially-engineered URL for the already-authenticated user to click on
for a drive-by install of the backdoor/keylogger of his choice.

Jeff

Current thread:

Re: Password policy, (continued)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Daniel R Jones (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)