Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Shane Williams <shanew () ISCHOOL UTEXAS EDU>
Date: Thu, 3 Apr 2014 10:45:17 -0500
On Thu, 3 Apr 2014, Von Welch wrote:
Roger, I think you are making the same argument Shane made which is over a = longer enough time, you start reducing your risk as only the most recent = sites (since the last forced password change) the user has created = accounts at have the same password as your local site. I=92ll give you a different reason for being skeptical than I gave = Shane - given a user who is using the same password ubiquitously, are = new passwords going to be meaningfully different enough you can rely on = that difference or is the speed bump for the attacker small in that the = user is just changing =91password123=92 to =91password234=92?
As I mentioned in a previous post, password expiration is only meaningful in combination with other checks, and similarity checking is definitely one of them (I mentioned others in a previous post). Even without it though, I would speculate that people using mass exposure lists get enough "hits" with the plain list that they're not as interested in retrying too many combinations of the "misses"
I don=92t argue they have some effect. I=92m questioning if they are the = most effective alternative (education on password managers being my = favorite), and if the usability trade-off is worth it.
As Roger pointed out, I think we all agree that passwords are disastrously broken at this point, and until MFA (or some other solution) reaches the point where it's usable and affordable (to all), most of us are like security MacGyvers doing our best with chewing gum and baling wire to keep things limping along. As such, I don't see expiration and password managers as an either/or choice; I'll take whatever tools help.
(And yes, I concede this is all a subjective argument as I know of no hard data.)
This was one of the struggles I had with faculty, and in particular explaining that it was often impossible to determine the method by which an account's credentials were obtained. It's not like we can just survey the attackers (or trust their responses even if we could). Just one of many reasons there's not a lot of hard data on this topic. -- Shane Williams Senior Information Technology Manager School of Information, University of Texas at Austin shanew () ischool utexas edu - 512-471-9471
Current thread:
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs, (continued)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Flynn, Gary - flynngn (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Carlos Lobato (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Chris Green (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Rich Graves (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)