Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 10 Apr 2009 13:02:58 -0400
On Thu, 09 Apr 2009 12:49:12 EDT, Matthew Giannetto said:
-Change every 120 days
I'll be a heretic and remind everybody to read Gene Spafford's very cogent comments regarding old threat models, and new threat models, and what attacks we *actually* see, and what password changes actually (don't) do to mitigate... http://www.cerias.purdue.edu/site/blog/post/another-round-on-passwords/ (Unfortunately, some of the links to specific posts seem broken at the moment). Password changes every N days don't stop phishes, keystroke loggers, and the the like, and if the password is anywhere near sanely strong, it doesn't make a difference to brute forcing (unless the attacker has access to a high-speed (thousands or millions/sec) oracle for a "good" password - and if they do, you have *bigger* problems). You'd probably be better off changing that 'min 8 chars' to 'min 12-14 chars' and heaving the mandatory change over the side.
Attachment:
_bin
Description:
Current thread:
- Password Complexity and Aging Matthew Giannetto (Apr 09)
- <Possible follow-ups>
- Re: Password Complexity and Aging Tupker, Mike (Apr 09)
- Re: Password Complexity and Aging Eric Case (Apr 09)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 10)
- Re: Password Complexity and Aging Stanclift, Michael (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging King, Ronald A. (Apr 10)
- Re: Password Complexity and Aging Roger Safian (Apr 10)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 10)
- Re: Password Complexity and Aging Geoff Nathan (Apr 11)
- Re: Password Complexity and Aging Stephen John Smoogen (Apr 11)
- Re: Password Complexity and Aging Tom Siu (Apr 12)
- Re: Password Complexity and Aging Ryan Fox (Apr 13)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 13)
- Re: Password Complexity and Aging Barros, Jacob (Apr 13)
- Re: Password Complexity and Aging Gary Dobbins (Apr 13)
(Thread continues...)