Educause Security Discussion mailing list archives
Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Von Welch <von () VONWELCH COM>
Date: Wed, 2 Apr 2014 18:17:13 -0400
I believe one of the benefits of changing the password is that it's not unc= ommon for web services to use an email address as a user name. If a user u= ses our address, and their associated password, and later that web service = gets compromised, there is a decent chance when the hashes are dumped that = they will have had to change our password and will no longer sync them.
I believe I understand this threat (your users may reuse their passwords elsewhere and get them exposures there) but I don’t understand how having password expiration helps address it. Unless you are “lucky” and the exposure happens just prior to password expiration, you’re comfortable waiting probably months until expiration for the users to change their password? Wouldn’t a better solution, assuming the compromised DB is published, be to see that a user account with one of your email address has been exposed and to force a password change in real time? Even if the password DB isn’t published and you can’t see the compromised account, the only way password expiration seems to help is if the bad guy sits on the compromised password until after expiration to use it. In short, password expiration just seems to slow to be effective in Internet time scales. Von On Apr 2, 2014, at 5:23 PM, Shane Williams <shanew () ISCHOOL UTEXAS EDU> wrote:
I've recently had this discussion with our faculty, and this was the point I kept making, all the while referring to the "mass password exposure" of the week. Unfortunately, almost no articles or blogs from before 2012 make any mention of this threat, much less academic papers (where faculty place more trust). Admittedly, the incidence of mass exposures pre-2012 wasn't what it is today, but I'm surprised that even now very few "experts" talk about this particular risk. On Wed, 2 Apr 2014, Roger A Safian wrote:--_000_2C17E27E26DEE641AEECF7583B3CAB1A25987D2Bevcspmbx1adsnor_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I believe one of the benefits of changing the password is that it's not unc= ommon for web services to use an email address as a user name. If a user u= ses our address, and their associated password, and later that web service = gets compromised, there is a decent chance when the hashes are dumped that = they will have had to change our password and will no longer sync them.-- Shane Williams Senior Information Technology Manager School of Information, University of Texas at Austin shanew () ischool utexas edu - 512-471-9471
Current thread:
- Re: Security Awareness Programs, (continued)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Cal Frye (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Mike Cunningham (Apr 02)
- Re: Security Awareness Programs Hall, Rand (Apr 03)
- Re: Security Awareness Programs Mike Cunningham (Apr 03)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Ruth Ginzberg (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Isabelle Grey (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)