Educause Security Discussion mailing list archives

Please do not change your password

From: Justin Sherenco <jsherenco () EMICH EDU>
Date: Wed, 14 Apr 2010 09:04:17 -0400

Hello,

I came across an interesting article on password changes.  Author Cormac
Herley of Microsoft makes a good case albeit just a cost-benefit analysis.
I had to go back and think of why these types of policies were created in
the first place.  I came to my own conclusion that they were created
before the days of complex password (passphrase) enforcement and the
ability to automatically lock out accounts after X amount of failed log-in
attempts.



Do you think he can convince the auditors?






<http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not
_change_your_password/?page=full>
http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_
change_your_password/?page=full



Regards,

Justin





-------------------------------------

Justin Sherenco

Security Analyst

734-487-8574

Easten Michigan University

http://it.emich.edu/security

Current thread:

Please do not change your password Justin Sherenco (Apr 14)
- <Possible follow-ups>
- Re: Please do not change your password Morrow Long (Apr 14)
- Re: Please do not change your password John Ladwig (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password Sarazen, Daniel (Apr 14)
- Re: Please do not change your password Jones, Dan (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)

(Thread continues...)