Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password change *recommended* -- RESULTS?

From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Wed, 16 Apr 2014 07:39:01 -0700
Good morning!

Brady asked:

#Except in the case of an incident were passwords may have be leaked or 
#otherwise compromised, in which case it seems it would be a required 
#change and just not recommended, I'm curious to the thoughts of those 
#here on why you would enforce periodic password changes on users.  

I outlined a few reasons in an NWACC talk on passwords that you can find
at http://pages.uoregon.edu/joe/passwords/passwords.pdf (section 4 talks
about the password change issue)

That said, the fundamental problem is that at this stage of the game,
plain old passwords just aren't good enough anymore -- yet we still 
don't see ubiquitous deployment of multifactor on most campuses. Why? 

I attempted to discuss some of the reasons that people may have 
*historically* had, and why they may no longer be applicable, in a 
talk I did last week in Denver at the Internet2 Global Summit; see 
http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf

If you all are not doing multifactor, did I catch the reason(s) why 
in thos slides? If I missed a fundamental reason, I'd love to hear 
about/understand it better. 

Do we all just secretly love passwords for some sort of weird cultural 
reasons? :-;

Regards,

Joe
Previous By Date Next
Previous By Thread Next

Current thread: