Educause Security Discussion mailing list archives

Re: Please do not change your password

From: Morrow Long <morrow.long () YALE EDU>
Date: Wed, 14 Apr 2010 09:13:01 -0400

Justin -- I heard about Cormac Herley's study on NPR last night:

        Study: Computer Security Measures Not All Worth It
        http://www.npr.org/templates/story/story.php?storyId=125914112

Morrow


On Apr 14, 2010, at 9:04 AM, Justin Sherenco wrote:

Hello,
I came across an interesting article on password changes.  Author
Cormac Herley of Microsoft makes a good case albeit just a cost-
benefit analysis.  I had to go back and think of why these types of
policies were created in the first place.  I came to my own
conclusion that they were created before the days of complex
password (passphrase) enforcement and the ability to automatically
lock out accounts after X amount of failed log-in attempts.

Do you think he can convince the auditors?


http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=full

Regards,
Justin


-------------------------------------
Justin Sherenco
Security Analyst
734-487-8574
Easten Michigan University
http://it.emich.edu/security

Current thread:

Please do not change your password Justin Sherenco (Apr 14)
- <Possible follow-ups>
- Re: Please do not change your password Morrow Long (Apr 14)
- Re: Please do not change your password John Ladwig (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password Sarazen, Daniel (Apr 14)
- Re: Please do not change your password Jones, Dan (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)

(Thread continues...)