Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Von Welch <von () VONWELCH COM>
Date: Thu, 3 Apr 2014 10:42:39 -0400
Roger, I think you are making the same argument Shane made which is over a longer enough time, you start reducing your risk as only the most recent sites (since the last forced password change) the user has created accounts at have the same password as your local site. I’ll give you a different reason for being skeptical than I gave Shane - given a user who is using the same password ubiquitously, are new passwords going to be meaningfully different enough you can rely on that difference or is the speed bump for the attacker small in that the user is just changing ‘password123’ to ‘password234’?
Make no mistake, password changes are not the solution, but, they can be an effective tool to mitigate risk of your passwords on remote systems.
I don’t argue they have some effect. I’m questioning if they are the most effective alternative (education on password managers being my favorite), and if the usability trade-off is worth it. (And yes, I concede this is all a subjective argument as I know of no hard data.) I’m also finding the question if password management is fundamentally different if you are the origin of the user’s email address (and presumed widely used account name) interesting. Von On Apr 3, 2014, at 9:20 AM, Roger A Safian <r-safian () NORTHWESTERN EDU> wrote:
Unless you are "lucky" and the exposure happens just prior to password expiration, you're comfortable waiting probably months until expiration for the users to change their password?I think you're making the assumption that the passwords are synced, and the compromise of the remote service all happen around the same time. As you have seen from the many compromised password files published these compromises often happen years after the fact, so in many cases the passwords would have been changed multiple times. In fact, after speaking to many of our users that fall into this category, more often than not they are no longer using the service that stored the compromised password any more. Make no mistake, password changes are not the solution, but, they can be an effective tool to mitigate risk of your passwords on remote systems.
Current thread:
- Re: Security Awareness Programs, (continued)
- Re: Security Awareness Programs Mike Cunningham (Apr 02)
- Re: Security Awareness Programs Hall, Rand (Apr 03)
- Re: Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Security Awareness Programs Joel L. Rosenblatt (Apr 02)
- Re: Security Awareness Programs Ben Woelk (Apr 02)
- Re: Security Awareness Programs Shane Williams (Apr 02)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Ruth Ginzberg (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Isabelle Grey (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)