Re: Password Complexity and Aging

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Thu, 09 Apr 2009 12:49:12 EDT, Matthew Giannetto said:
> -Change every 120 days

I'll be a heretic and remind everybody to read Gene Spafford's very cogent
comments regarding old threat models, and new threat models, and what attacks
we *actually* see, and what password changes actually (don't) do to mitigate...

http://www.cerias.purdue.edu/site/blog/post/another-round-on-passwords/

(Unfortunately, some of the links to specific posts seem broken at the moment).

Password changes every N days don't stop phishes, keystroke loggers, and the
the like, and if the password is anywhere near sanely strong, it doesn't make
a difference to brute forcing (unless the attacker has access to a high-speed
(thousands or millions/sec) oracle for a "good" password - and if they do, you
have *bigger* problems).

You'd probably be better off changing that 'min 8 chars' to 'min 12-14 chars'
and heaving the mandatory change over the side.

Attachment: _bin
Description: