Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Thu, 3 Apr 2014 08:44:44 -0500
Many of us (myself included) commit various "password re-use" sins. (Attention (ISC)2: if you need evidence for relieving me of my infosec certification here it is) Look: from a practical point of view: I have been using some version of the Internet since before the Internet per se existed (from that you may correctly infer that I am a Dinosaur). For all of that time, various entities have been requiring login/password combos to access both significantly sensitive, secret or confidential ... and also trivial ... data and functionality. I have had to create 100's (maybe even >1000) of login/password combos in my lifetime, and probably currently still have ~75 that are in some sense "active." Nevermind all the abandoned or "changed" ones from decades past that are probably stored insecurely Heaven-only-knows-where. As a mere human -- I do not possess either the creativity or the memory capacity to create and remember that many different login/password combos, AND to remember if/when I may be re-using something I already used somewhere years or decades ago. So I cheat. I have some relatively simple algorithms for creating login/password combos that exist only in my head, but I have no illusions about those algorithms being so complex that they couldn't easily be derived if some malicious actor had a few examples of them to work with. As I get older, my "cheating" is getting less and less complicated and probably more and more obvious. The reason I am only mildly concerned about this is because if a login/password (which is, after all, only single, not multi- factor authentication) is the only thing standing between me and some nefarious data thief ... I figure I'm already s****ed and probably shouldn't be using that site / service at all. Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System rginzberg () uwsa edu 608-890-3961 ----- Original Message ----- From: "Roger A Safian" <r-safian () NORTHWESTERN EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Thursday, April 3, 2014 8:20:36 AM Subject: Re: [SECURITY] Password expiration - was Re: [SECURITY] Security Awareness Programs
Unless you are "lucky" and the exposure happens just prior to password expiration, you're comfortable waiting probably months until expiration for the users to change their password?
I think you're making the assumption that the passwords are synced, and the compromise of the remote service all happen around the same time. As you have seen from the many compromised password files published these compromises often happen years after the fact, so in many cases the passwords would have been changed multiple times. In fact, after speaking to many of our users that fall into this category, more often than not they are no longer using the service that stored the compromised password any more. Make no mistake, password changes are not the solution, but, they can be an effective tool to mitigate risk of your passwords on remote systems.
Current thread:
- Re: Security Awareness Programs, (continued)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Mike Cunningham (Apr 02)
- Re: Security Awareness Programs Hall, Rand (Apr 03)
- Re: Security Awareness Programs Mike Cunningham (Apr 03)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Ruth Ginzberg (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Isabelle Grey (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)