Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Thu, 3 Apr 2014 13:20:36 +0000
Unless you are "lucky" and the exposure happens just prior to password expiration, you're comfortable waiting probably months until expiration for the users to change their password?
I think you're making the assumption that the passwords are synced, and the compromise of the remote service all happen around the same time. As you have seen from the many compromised password files published these compromises often happen years after the fact, so in many cases the passwords would have been changed multiple times. In fact, after speaking to many of our users that fall into this category, more often than not they are no longer using the service that stored the compromised password any more. Make no mistake, password changes are not the solution, but, they can be an effective tool to mitigate risk of your passwords on remote systems.
Current thread:
- Re: Security Awareness Programs, (continued)
- Re: Security Awareness Programs Cal Frye (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Mike Cunningham (Apr 02)
- Re: Security Awareness Programs Hall, Rand (Apr 03)
- Re: Security Awareness Programs Mike Cunningham (Apr 03)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Ruth Ginzberg (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Isabelle Grey (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)