Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Complexity and Aging

From: "Barros, Jacob" <jkbarros () GRACE EDU>
Date: Mon, 13 Apr 2009 08:54:04 -0400
I agree with Roger.  Password aging doesn't seem to work for us. If I
were to reinstate a mandatory password change every 90 days, 3M's stock
price would spike from the increase of Post-It note usage.  Hopefully
they would remember to hide it under their keyboard.

Jacob Barros
Network Administrator
Grace College


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger Safian
Sent: Friday, April 10, 2009 2:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Complexity and Aging

At 12:02 PM 4/10/2009, Valdis Kletnieks put fingers to keyboard and
wrote:

On Thu, 09 Apr 2009 12:49:12 EDT, Matthew Giannetto said:


-Change every 120 days


I'll be a heretic and remind everybody to read Gene Spafford's very

cogent

comments regarding old threat models, and new threat models, and what

attacks

we *actually* see, and what password changes actually (don't) do to

mitigate...

This is basically, IMHO, a religious debate.  There's no right or wrong
answer.
Password aging has its uses.  Password length and complexity have their
uses
as well.  The problem becomes balancing the security needs of your
organization
against the threats you face.


-- 
Roger A. Safian 
r-safian () northwestern edu (email) public key available on many key
servers.
(847) 467-6437   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"
Previous By Date Next
Previous By Thread Next

Current thread: