Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

[Rich Graves <rgraves () CARLETON EDU>]

Ideally, what I'd like is technology clearly showing users how and where passwords have been used, a policy mandating 
that they review that information periodically, and multi-factor authentication where it makes sense. It would be nice 
to add some security awareness training at the same time. After reviewing their login history and awareness materials, 
perhaps the user will decide that their password should be changed, but I wouldn't force them to.

"1.5 factor" persistent browser cookies and device-specific credentials (perhaps being standardized as UMA, but it has 
been and remains a long road) are adequate against current phishing, exposure, and disclosure threats.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin