Educause Security Discussion mailing list archives
Re: Please do not change your password
From: David LaPorte <david_laporte () HARVARD EDU>
Date: Wed, 14 Apr 2010 10:05:35 -0400
Enforcing long/complex passwords to "protect" them in the event of a password store compromise doesn't strike me as the right thing to do. A password store compromise is a serious event that requires an immediate password change by all involved. That threat is not addressed by overly strict password complexity or expiration controls. Moderation in both, balanced with reasonable lock-out strategies and good monitoring, seem a far better solution. It's much easier to find the reminders scattered about (on post-its, whiteboards, etc) by poor users forced to content with the onerous constraints placed upon them in the name of "security." Dave On 04/14/2010 9:54 AM, Doty, Timothy T. wrote:
You say that passwords are no longer cracked? Then read up on the compromise the Apache folks had where the database of (unsalted) hashed passwords was obtained by the hackers. That is only a single case, but it is very recent and IMO very relevant. Those 8-char passwords are little better than plain text in such a situation. If the bad guys "just worked around" passwords why would they care to obtain a hash list? The argument is short sighted and misses the value of defense in depth. Tim Doty
Current thread:
- Please do not change your password Justin Sherenco (Apr 14)
- <Possible follow-ups>
- Re: Please do not change your password Morrow Long (Apr 14)
- Re: Please do not change your password John Ladwig (Apr 14)
- Re: Please do not change your password Paul Kendall (Apr 14)
- Re: Please do not change your password Sarazen, Daniel (Apr 14)
- Re: Please do not change your password Jones, Dan (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password David LaPorte (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password Mike Porter (Apr 14)
- Re: Please do not change your password SCHALIP, MICHAEL (Apr 14)
- Re: Please do not change your password Justin Sherenco (Apr 14)
- Re: Please do not change your password Valdis Kletnieks (Apr 14)
- Re: Please do not change your password Basgen, Brian (Apr 14)
- Re: Please do not change your password Allison Dolan (Apr 14)
- Re: Please do not change your password Doty, Timothy T. (Apr 14)
(Thread continues...)