Re: Password change *recommended* -- RESULTS?

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Good morning!

Brady asked:

#Except in the case of an incident were passwords may have be leaked or 
#otherwise compromised, in which case it seems it would be a required 
#change and just not recommended, I'm curious to the thoughts of those 
#here on why you would enforce periodic password changes on users.  

I outlined a few reasons in an NWACC talk on passwords that you can find
at 
https://urldefense.proofpoint.com/v1/url?u=http://pages.uoregon.edu/joe/passwords/passwords.pdf&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=bXp2kHmqqvQ6sWF4ur04lEXjzuwJrQENi85YnNSGYsA%3D%0A&m=eQubWzDOsejB4uhbGazdQUzcuC6l5OjfJ7TGvTa%2BNiw%3D%0A&s=912dbbc39d1a4bd96e678a42c181ecf550e5cab95ae98178136c7b5e596ff31a
 (section 4 talks
about the password change issue)

That said, the fundamental problem is that at this stage of the game,
plain old passwords just aren't good enough anymore -- yet we still 
don't see ubiquitous deployment of multifactor on most campuses. Why? 

I attempted to discuss some of the reasons that people may have 
*historically* had, and why they may no longer be applicable, in a 
talk I did last week in Denver at the Internet2 Global Summit; see 
https://urldefense.proofpoint.com/v1/url?u=http://pages.uoregon.edu/joe/global-summit-mfa/global-summit-mfa.pdf&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=bXp2kHmqqvQ6sWF4ur04lEXjzuwJrQENi85YnNSGYsA%3D%0A&m=eQubWzDOsejB4uhbGazdQUzcuC6l5OjfJ7TGvTa%2BNiw%3D%0A&s=946b765ebc682f9a5f855ce0bbeab1e2515829413bb208090b0810ce4b470027

If you all are not doing multifactor, did I catch the reason(s) why 
in thos slides? If I missed a fundamental reason, I'd love to hear 
about/understand it better. 

Do we all just secretly love passwords for some sort of weird cultural 
reasons? :-;

Regards,

Joe