Educause Security Discussion mailing list archives
Re: Password policy
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 1 Nov 2006 21:30:52 -0500
Geoff Nathan wrote:
But seriously, who's going to try to break into Professor Snerdwell's e-mail account with a dictionary attack? And unless we're worried about month-long sustained attacks, frequent password changes are just annoying without buying additional security. Making people change their passwords every ninety days doesn't teach good computer hygiene, it annoys them and confirms their impression that the IT people have nothing better to do.
Hear, hear! Hackers don't crack passwords anymore, they simply present a socially-engineered URL for the already-authenticated user to click on for a drive-by install of the backdoor/keylogger of his choice. Jeff
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Daniel R Jones (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 02)