Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password change *recommended* -- RESULTS?

From: Bob Bayn <bob.bayn () USU EDU>
Date: Wed, 23 Apr 2014 21:04:40 -0500
OK, but whether the password change interval is the recommended 90 day (which suggests an average time to expiry of 45 
days) or our miserable, but user-appreciated 365 days, that still leaves the bad guys a typical window of weeks to 
months to use any password they obtained via the bug.

This is like the "fight" I continually have with some of the web form service providers used by phishers.  Some take a 
day or so to act on my abuse reports while a few respond in minutes.  Which ones continue to be successfully used by 
phishers?

Bob Bayn      SER 301      (435)797-2396    IT Security Team
Office of Information Technology,         Utah State University
    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    
https://urldefense.proofpoint.com/v1/url?u=https://it.usu.edu/computer-security/computer-security-threats/articleID%3D23737&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=m3a7zui%2BIivnv6HgoEbi9Ak%2BfxH6by%2FnMADg6n%2Broa0%3D%0A&m=UJMgPP4pkcov8ZXfiV3OOm413tMoE2kkp0c6mWJc7Ew%3D%0A&s=8eb25e8d86943362e95dec0a174afa17825820fb01eb2af4e2b338abb489c77f

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Jones, Dan J. 
[djjones () WPI EDU]
Sent: Wednesday, April 16, 2014 7:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?

In a way, the HeartBleed bug is a cause celebre for password expiry. Instead of incurring the risk of service 
disruptions around a forced password change, and assuming people never voluntarily change passwords, you can just allow 
the small risk of passwords being grabbed to diminish over the course of the next PW change interval.

___________________________
Dan Jones
Information Security Analyst
Worcester Polytechnic Institute

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Pedersen, Krystal
Sent: Wednesday, April 16, 2014 8:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password change *recommended* -- RESULTS?

Hello Everyone – I was looking to get an idea as to how successful a recommended password change broadcast is (to the 
entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password 
change, with instructions on how to change your password, less than 1% of passwords were actually changed?

Thanks!

Krystal Pedersen, CISA
Information 
Technology<https://urldefense.proofpoint.com/v1/url?u=http://inside.umassmed.edu/is/index.aspx&k=7DHVT22D9IhC0F3WohFMBA%3D%3D%0A&r=m3a7zui%2BIivnv6HgoEbi9Ak%2BfxH6by%2FnMADg6n%2Broa0%3D%0A&m=UJMgPP4pkcov8ZXfiV3OOm413tMoE2kkp0c6mWJc7Ew%3D%0A&s=a8856fe1eaa886a75469116fc6fea69163bf249a6165ee6aa188ff504ec40b93>
Information Security, Risk & Compliance Analyst
krystal.pedersen () umassmed edu<mailto:krystal.pedersen () umassmed edu>
Previous By Date Next
Previous By Thread Next

Current thread: