Re: Please do not change your password

["Sarazen, Daniel" <dsarazen () UMASSP EDU>]

No, he cannot convince the auditors. As was previously stated, the paper really deals with consumer accounts, not 
institutions. Furthermore, if your organization failed to put in place an accepted, standard control and then you have 
a PII breach as a result of the absence of the control, I'd imagine your liability would be significantly higher. 
That's just a guess though.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin 
Sherenco
Sent: Wednesday, April 14, 2010 9:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Please do not change your password

Hello,
I came across an interesting article on password changes.  Author Cormac Herley of Microsoft makes a good case albeit 
just a cost-benefit analysis.  I had to go back and think of why these types of policies were created in the first 
place.  I came to my own conclusion that they were created before the days of complex password (passphrase) enforcement 
and the ability to automatically lock out accounts after X amount of failed log-in attempts.

Do you think he can convince the auditors?


http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=full

Regards,
Justin


-------------------------------------
Justin Sherenco
Security Analyst
734-487-8574
Easten Michigan University
http://it.emich.edu/security