Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

I think extending password expiration times to 180-360 days or eliminating
them entirely would help motivate people to accept multi-factor
authentication.

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Von Welch
> Sent: Thursday, April 03, 2014 10:45 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password expiration - was Re: [SECURITY] Security
> Awareness Programs
>
> > That being said, I'm pinning my hopes on multi-factor authentication.
>
> Every multi-factor I've seen in wide use today is password plus something.
>
> Do password policies go away if there is a additional factor?
>
> Von
>
> On Apr 3, 2014, at 8:50 AM, Roger A Safian <r-safian () NORTHWESTERN EDU>
> wrote:
>
> > > Ultimately, I'm not finding the benefit strong enough to move me from
> > > my core belief that it's not worth the usability trade-off and we
> > > should instead be focusing energy getting users to use password
> > > managers. But I admit that's subjective.
> >
> > I'm not sure that password managers will take off.  The whole password
> system is little more than an annoyance to most users, and until that
> changes, we're just expending a lot of energy, mostly needlessly.   That
being
> said, I'm pinning my hopes on multi-factor authentication.  Maybe one of
us
> will get lucky.

Attachment: smime.p7s
Description: