Re: Password Complexity and Aging

[Ryan Fox <rfox () FINDLAY EDU>]

Doug Markiewicz wrote:
> This assumes brute force attacks are the only reason to implement
> password expiration. Another argument for password expiration is the
> notion that, over time, passwords get revealed unknowingly and
> periodic changing helps to mitigate the misuse of those passwords. For
> example, a user might accidentally type their password into the
> username field which could have the side effect of logging that
> password. Granted changing your password 30 days from that point won't
> stop misuse immediately, but its perhaps a reasonable control? Maybe
> not. It's an argument we tossed around though.

Thanks for noting that.  I completely forgot about that line of
reasoning in my post.

For us, we evaluated that and determined that we _should_ be catching
compromised accounts by other means, and the convenience of not expiring
passwords outweighed the additional security.  But everyone should
definitely make that determination for themselves.

Thanks,
Ryan

Attachment: rfox.vcf
Description: