Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Chris Green <chrisgreen () GSU EDU>
Date: Thu, 3 Apr 2014 19:28:07 +0000
On Apr 3, 2014, at 11:16 AM, Roger A Safian <r-safian () northwestern edu> wrote:
And in another couple of months that will all happen againPersonally I think that forced frequent password changes do more harm than good.
One other parameter to consider: Windows systems by default in AD cache the last 10 credential pairs for network not-available scenarios. These can be attacked. Expiring passwords (and reducing the count) helps minimize collateral damage. There are better controls for password management for this issue but letting a single auth on a forgotten device expose you to forever risk is the use-case that made me pro-expiration (and privileged account management expire after use). Unfortunately, the windows-ish way to deal with this risk was smart cards.
Current thread:
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Shane Williams (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Flynn, Gary - flynngn (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Carlos Lobato (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Chris Green (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Rich Graves (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- <Possible follow-ups>
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Shane Williams (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Joe St Sauver (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)