Educause Security Discussion mailing list archives
Re: Password change *recommended* -- RESULTS?
From: Bob Bayn <bob.bayn () USU EDU>
Date: Wed, 23 Apr 2014 18:29:47 -0500
OK, but whether the password change interval is the recommended 90 day (which suggests an average time to expiry of 45 days) or our miserable, but user-appreciated 365 days, that still leaves the bad guys a typical window of weeks to months to use any password they obtained via the bug. This is like the "fight" I continually have with some of the web form service providers used by phishers. Some take a day or so to act on my abuse reports while a few respond in minutes. Which ones continue to be successfully used by phishers? Bob Bayn SER 301 (435)797-2396 IT Security Team Office of Information Technology, Utah State University Do you know the "Skeptical Hover Technique" and how to tell where a web link really goes? See: https://urldefense.proofpoint.com/v1/url?u=https://it.usu.edu/computer-security/computer-security-threats/articleID%3D23737&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=yppbvsV1vRTy%2FrjhLIIxm488RCwdY6q%2B9kaVJLSs%2B%2F0%3D%0A&m=VLVG9689T2TPJKKsemdFZXKY1KS595%2FbCNqLuvlLAy0%3D%0A&s=c02130e19028bf23534434cab0a3ebd0b5c42bc6f0de7e822e2bf9e376a83587 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Jones, Dan J. [djjones () WPI EDU] Sent: Wednesday, April 16, 2014 7:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password change *recommended* -- RESULTS? In a way, the HeartBleed bug is a cause celebre for password expiry. Instead of incurring the risk of service disruptions around a forced password change, and assuming people never voluntarily change passwords, you can just allow the small risk of passwords being grabbed to diminish over the course of the next PW change interval. ___________________________ Dan Jones Information Security Analyst Worcester Polytechnic Institute From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pedersen, Krystal Sent: Wednesday, April 16, 2014 8:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password change *recommended* -- RESULTS? Hello Everyone – I was looking to get an idea as to how successful a recommended password change broadcast is (to the entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password change, with instructions on how to change your password, less than 1% of passwords were actually changed? Thanks! Krystal Pedersen, CISA Information Technology<https://urldefense.proofpoint.com/v1/url?u=http://inside.umassmed.edu/is/index.aspx&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=yppbvsV1vRTy%2FrjhLIIxm488RCwdY6q%2B9kaVJLSs%2B%2F0%3D%0A&m=VLVG9689T2TPJKKsemdFZXKY1KS595%2FbCNqLuvlLAy0%3D%0A&s=5a7d270c325c368d307f20afce67040ca115fa92ff22369f323e7d8e1f7b557c> Information Security, Risk & Compliance Analyst krystal.pedersen () umassmed edu<mailto:krystal.pedersen () umassmed edu>
Current thread:
- Re: Password change *recommended* -- RESULTS?, (continued)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Will Froning (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Jones, Dan J. (Apr 16)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 16)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mitchell Pautz (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ben Marsden (Apr 16)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mally Mclane (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mally Mclane (Apr 23)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)